API Reference

thehive4py

client

TheHiveApi(url, apikey=None, username=None, password=None, organisation=None, verify=True, max_retries=DEFAULT_RETRY)

Create a client of TheHive API.

Parameters:

Name	Type	Description	Default
url	str	TheHive's url.	required
apikey	Optional[str]	TheHive's apikey. It's required if username and password is not provided.	None
username	Optional[str]	TheHive's username. It's required if apikey is not provided. Must be specified together with password.	None
password	Optional[str]	TheHive's password. It's required if apikey is not provided. Must be specified together with username.	None
organisation	Optional[str]	TheHive organisation to use in the session.	None
verify	VerifyValue	Either a boolean, in which case it controls whether we verify the server's TLS certificate, or a string, in which case it must be a path to a CA bundle to use.	True
max_retries	RetryValue	Either None, in which case we do not retry failed requests, or a Retry object.	DEFAULT_RETRY

Source code in thehive4py/client.py

def __init__(
    self,
    url: str,
    apikey: Optional[str] = None,
    username: Optional[str] = None,
    password: Optional[str] = None,
    organisation: Optional[str] = None,
    verify: VerifyValue = True,
    max_retries: RetryValue = DEFAULT_RETRY,
):
    """Create a client of TheHive API.

    Parameters:
        url: TheHive's url.
        apikey: TheHive's apikey. It's required if `username` and `password`
            is not provided.
        username: TheHive's username. It's required if `apikey` is not provided.
            Must be specified together with `password`.
        password: TheHive's password. It's required if `apikey` is not provided.
            Must be specified together with `username`.
        organisation: TheHive organisation to use in the session.
        verify: Either a boolean, in which case it controls whether we verify
            the server's TLS certificate, or a string, in which case it must be a
            path to a CA bundle to use.
        max_retries: Either `None`, in which case we do not retry failed requests,
            or a `Retry` object.

    """
    self.session = TheHiveSession(
        url=url,
        apikey=apikey,
        username=username,
        password=password,
        verify=verify,
        max_retries=max_retries,
    )
    self.session_organisation = organisation

    # case management endpoints
    self.alert = AlertEndpoint(self.session)
    self.case = CaseEndpoint(self.session)
    self.case_template = CaseTemplateEndpoint(self.session)
    self.comment = CommentEndpoint(self.session)
    self.observable = ObservableEndpoint(self.session)
    self.procedure = ProcedureEndpoint(self.session)
    self.task = TaskEndpoint(self.session)
    self.task_log = TaskLogEndpoint(self.session)
    self.timeline = TimelineEndpoint(self.session)

    # user management endpoints
    self.user = UserEndpoint(self.session)
    self.organisation = OrganisationEndpoint(self.session)
    self.profile = ProfileEndpoint(self.session)

    # entity endpoints
    self.custom_field = CustomFieldEndpoint(self.session)
    self.observable_type = ObservableTypeEndpoint(self.session)

    # connector endpoints
    self.cortex = CortexEndpoint(self.session)

    # standard endpoints
    self.query = QueryEndpoint(self.session)

session = TheHiveSession(url=url, apikey=apikey, username=username, password=password, verify=verify, max_retries=max_retries) instance-attribute

alert = AlertEndpoint(self.session) instance-attribute

case = CaseEndpoint(self.session) instance-attribute

case_template = CaseTemplateEndpoint(self.session) instance-attribute

comment = CommentEndpoint(self.session) instance-attribute

observable = ObservableEndpoint(self.session) instance-attribute

procedure = ProcedureEndpoint(self.session) instance-attribute

task = TaskEndpoint(self.session) instance-attribute

task_log = TaskLogEndpoint(self.session) instance-attribute

timeline = TimelineEndpoint(self.session) instance-attribute

user = UserEndpoint(self.session) instance-attribute

organisation = OrganisationEndpoint(self.session) instance-attribute

profile = ProfileEndpoint(self.session) instance-attribute

custom_field = CustomFieldEndpoint(self.session) instance-attribute

observable_type = ObservableTypeEndpoint(self.session) instance-attribute

cortex = CortexEndpoint(self.session) instance-attribute

query = QueryEndpoint(self.session) instance-attribute

session_organisation property writable

session

DEFAULT_RETRY = Retry(total=5, backoff_factor=1, status_forcelist=[500, 502, 503, 504], allowed_methods=['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], raise_on_status=False) module-attribute

RetryValue = Union[Retry, int, None] module-attribute

VerifyValue = Union[bool, str] module-attribute

TheHiveSession(url, apikey=None, username=None, password=None, verify=True, max_retries=DEFAULT_RETRY)

Bases: Session

Source code in thehive4py/session.py

def __init__(
    self,
    url: str,
    apikey: Optional[str] = None,
    username: Optional[str] = None,
    password: Optional[str] = None,
    verify: VerifyValue = True,
    max_retries: RetryValue = DEFAULT_RETRY,
):
    super().__init__()
    self.hive_url = self._sanitize_hive_url(url)
    self.verify = verify
    self.headers["User-Agent"] = f"thehive4py/{__version__}"
    self._set_retries(max_retries=max_retries)

    if username and password:
        self.headers["Authorization"] = requests.auth._basic_auth_str(
            username, password
        )
    elif apikey:
        self.headers["Authorization"] = f"Bearer {apikey}"
    else:
        raise TheHiveError(
            "Either apikey or the username/password combination must be provided!"
        )

hive_url = self._sanitize_hive_url(url) instance-attribute

verify = verify instance-attribute

make_request(method, path, params=None, data=None, json=None, files=None, download_path=None)

Source code in thehive4py/session.py

def make_request(
    self,
    method: str,
    path: str,
    params=None,
    data=None,
    json=None,
    files=None,
    download_path: Union[str, PathLike, None] = None,
) -> Any:
    endpoint_url = f"{self.hive_url}{path}"

    headers = {**self.headers}
    if json:
        data = jsonlib.dumps(json, cls=_SessionJSONEncoder)
        headers = {**headers, "Content-Type": "application/json"}

    response = self.request(
        method,
        url=endpoint_url,
        params=params,
        data=data,
        files=files,
        headers=headers,
        verify=self.verify,
        stream=bool(download_path),
    )

    return self._process_response(response, download_path=download_path)

endpoints

alert

AlertEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(alert, attachment_map=None)

Create an alert.

Parameters:

Name	Type	Description	Default
alert	InputAlert	The body of the alert.	required
attachment_map	Optional[Dict[str, str]]	An optional mapping of observable attachment keys and paths.	None

Returns:

Type	Description
OutputAlert	The created alert.

Source code in thehive4py/endpoints/alert.py

def create(
    self, alert: InputAlert, attachment_map: Optional[Dict[str, str]] = None
) -> OutputAlert:
    """Create an alert.

    Args:
        alert: The body of the alert.
        attachment_map: An optional mapping of observable attachment keys and paths.

    Returns:
        The created alert.
    """
    if attachment_map:
        files: Dict[str, Any] = {
            key: self._fileinfo_from_filepath(path)
            for key, path in attachment_map.items()
        }
        files["_json"] = jsonlib.dumps(alert)
        kwargs: dict = {"files": files}
    else:
        kwargs = {"json": alert}
    return self._session.make_request("POST", path="/api/v1/alert", **kwargs)

get(alert_id)

Get an alert by id.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required

Returns:

Type	Description
OutputAlert	The alert specified by the id.

Source code in thehive4py/endpoints/alert.py

def get(self, alert_id: str) -> OutputAlert:
    """Get an alert by id.

    Args:
        alert_id: The id of the alert.

    Returns:
        The alert specified by the id.
    """

    return self._session.make_request("GET", path=f"/api/v1/alert/{alert_id}")

update(alert_id, fields)

Update an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
fields	InputUpdateAlert	The fields of the alert to update.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def update(self, alert_id: str, fields: InputUpdateAlert) -> None:
    """Update an alert.

    Args:
        alert_id: The id of the alert.
        fields: The fields of the alert to update.

    Returns:
        N/A
    """
    return self._session.make_request(
        "PATCH", path=f"/api/v1/alert/{alert_id}", json=fields
    )

delete(alert_id)

Delete an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def delete(self, alert_id: str) -> None:
    """Delete an alert.

    Args:
        alert_id: The id of the alert.

    Returns:
        N/A
    """
    return self._session.make_request("DELETE", path=f"/api/v1/alert/{alert_id}")

bulk_update(fields)

Update multiple alerts with the same values.

Parameters:

Name	Type	Description	Default
fields	InputBulkUpdateAlert	The ids and the fields of the alerts to update.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def bulk_update(self, fields: InputBulkUpdateAlert) -> None:
    """Update multiple alerts with the same values.

    Args:
        fields: The ids and the fields of the alerts to update.

    Returns:
        N/A
    """
    return self._session.make_request(
        "PATCH", path="/api/v1/alert/_bulk", json=fields
    )

bulk_delete(ids)

Delete multiple alerts.

Parameters:

Name	Type	Description	Default
ids	List[str]	The ids of the alerts to delete.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def bulk_delete(self, ids: List[str]) -> None:
    """Delete multiple alerts.

    Args:
        ids: The ids of the alerts to delete.

    Returns:
        N/A
    """
    return self._session.make_request(
        "POST", path="/api/v1/alert/delete/_bulk", json={"ids": ids}
    )

follow(alert_id)

Follow an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def follow(self, alert_id: str) -> None:
    """Follow an alert.

    Args:
        alert_id: The id of the alert.

    Returns:
        N/A
    """
    self._session.make_request("POST", path=f"/api/v1/alert/{alert_id}/follow")

unfollow(alert_id)

Unfollow an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def unfollow(self, alert_id: str) -> None:
    """Unfollow an alert.

    Args:
        alert_id: The id of the alert.

    Returns:
        N/A
    """
    self._session.make_request("POST", path=f"/api/v1/alert/{alert_id}/unfollow")

promote_to_case(alert_id, fields={})

Promote an alert into a case.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
fields	InputPromoteAlert	Override for the fields of the case created from the alert.	{}

Returns:

Type	Description
OutputCase	The case from the promoted alert.

Source code in thehive4py/endpoints/alert.py

def promote_to_case(
    self, alert_id: str, fields: InputPromoteAlert = {}
) -> OutputCase:
    """Promote an alert into a case.

    Args:
        alert_id: The id of the alert.
        fields: Override for the fields of the case created from the alert.

    Returns:
        The case from the promoted alert.
    """
    return self._session.make_request(
        "POST",
        path=f"/api/v1/alert/{alert_id}/case",
        json=fields,
    )

create_observable(alert_id, observable, observable_path=None)

Create an observable in an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
observable	InputObservable	The fields of the observable to create.	required
observable_path	Optional[str]	Optional path in case of a file based observable.	None

Returns:

Type	Description
List[OutputObservable]	The created alert observables.

Source code in thehive4py/endpoints/alert.py

def create_observable(
    self,
    alert_id: str,
    observable: InputObservable,
    observable_path: Optional[str] = None,
) -> List[OutputObservable]:
    """Create an observable in an alert.

    Args:
        alert_id: The id of the alert.
        observable: The fields of the observable to create.
        observable_path: Optional path in case of a file based observable.

    Returns:
        The created alert observables.
    """

    kwargs = self._build_observable_kwargs(
        observable=observable, observable_path=observable_path
    )
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/observable", **kwargs
    )

add_attachment(alert_id, attachment_paths)

Create an observable in an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
attachment_paths	List[str]	List of paths to the attachments to create.	required

Returns:

Type	Description
List[OutputAttachment]	The created alert attachments.

Source code in thehive4py/endpoints/alert.py

def add_attachment(
    self, alert_id: str, attachment_paths: List[str]
) -> List[OutputAttachment]:
    """Create an observable in an alert.

    Args:
        alert_id: The id of the alert.
        attachment_paths: List of paths to the attachments to create.

    Returns:
        The created alert attachments.
    """
    files = [
        ("attachments", self._fileinfo_from_filepath(attachment_path))
        for attachment_path in attachment_paths
    ]
    return self._session.make_request(
        "POST", f"/api/v1/alert/{alert_id}/attachments", files=files
    )["attachments"]

download_attachment(alert_id, attachment_id, attachment_path)

Download an alert attachment.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
attachment_id	str	The id of the alert attachment.	required
attachment_path	str	The local path to download the attachment to.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def download_attachment(
    self, alert_id: str, attachment_id: str, attachment_path: str
) -> None:
    """Download an alert attachment.

    Args:
        alert_id: The id of the alert.
        attachment_id: The id of the alert attachment.
        attachment_path: The local path to download the attachment to.

    Returns:
        N/A
    """
    return self._session.make_request(
        "GET",
        path=f"/api/v1/alert/{alert_id}/attachment/{attachment_id}/download",
        download_path=attachment_path,
    )

delete_attachment(alert_id, attachment_id)

Delete an alert attachment.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
attachment_id	str	The id of the alert attachment.	required

Returns:

Type	Description
None	N/A

Source code in thehive4py/endpoints/alert.py

def delete_attachment(self, alert_id: str, attachment_id: str) -> None:
    """Delete an alert attachment.

    Args:
        alert_id: The id of the alert.
        attachment_id: The id of the alert attachment.

    Returns:
        N/A
    """

    return self._session.make_request(
        "DELETE", path=f"/api/v1/alert/{alert_id}/attachment/{attachment_id}"
    )

merge_into_case(alert_id, case_id)

Merge an alert into an existing case.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert to merge.	required
case_id	str	The id of the case to merge the alert into.	required

Returns:

Type	Description
OutputCase	The case into which the alert was merged.

Source code in thehive4py/endpoints/alert.py

def merge_into_case(self, alert_id: str, case_id: str) -> OutputCase:
    """Merge an alert into an existing case.

    Args:
        alert_id: The id of the alert to merge.
        case_id: The id of the case to merge the alert into.

    Returns:
        The case into which the alert was merged.
    """
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/merge/{case_id}"
    )

bulk_merge_into_case(case_id, alert_ids)

Merge an alert into an existing case.

Parameters:

Name	Type	Description	Default
case_id	str	The id of the case to merge the alerts into.	required
alert_ids	List[str]	The list of alert ids to merge.	required

Returns:

Type	Description
OutputCase	The case into which the alerts were merged.

Source code in thehive4py/endpoints/alert.py

def bulk_merge_into_case(self, case_id: str, alert_ids: List[str]) -> OutputCase:
    """Merge an alert into an existing case.

    Args:
        case_id: The id of the case to merge the alerts into.
        alert_ids: The list of alert ids to merge.

    Returns:
        The case into which the alerts were merged.
    """
    return self._session.make_request(
        "POST",
        path="/api/v1/alert/merge/_bulk",
        json={"caseId": case_id, "alertIds": alert_ids},
    )

find(filters=None, sortby=None, paginate=None)

Find multiple alerts.

Parameters:

Name	Type	Description	Default
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None
sortby	Optional[SortExpr]	The sort expressions to apply in the query.	None
paginate	Optional[Paginate]	The pagination experssion to apply in the query.	None

Returns:

Type	Description
List[OutputAlert]	The list of alerts matched by the query or an empty list.

Source code in thehive4py/endpoints/alert.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputAlert]:
    """Find multiple alerts.

    Args:
        filters: The filter expressions to apply in the query.
        sortby: The sort expressions to apply in the query.
        paginate: The pagination experssion to apply in the query.

    Returns:
        The list of alerts matched by the query or an empty list.
    """
    query: QueryExpr = [
        {"_name": "listAlert"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alerts"},
        json={"query": query},
    )

count(filters=None)

Count alerts.

Parameters:

Name	Type	Description	Default
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None

Returns:

Type	Description
int	The count of alerts matched by the query.

Source code in thehive4py/endpoints/alert.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    """Count alerts.

    Args:
        filters: The filter expressions to apply in the query.

    Returns:
        The count of alerts matched by the query.
    """

    query: QueryExpr = [
        {"_name": "listAlert"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alerts.count"},
        json={"query": query},
    )

find_observables(alert_id, filters=None, sortby=None, paginate=None)

Find observable related to an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None
sortby	Optional[SortExpr]	The sort expressions to apply in the query.	None
paginate	Optional[Paginate]	The pagination experssion to apply in the query.	None

Returns:

Type	Description
List[OutputObservable]	The list of alert observables matched by the query or an empty list.

Source code in thehive4py/endpoints/alert.py

def find_observables(
    self,
    alert_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputObservable]:
    """Find observable related to an alert.

    Args:
        alert_id: The id of the alert.
        filters: The filter expressions to apply in the query.
        sortby: The sort expressions to apply in the query.
        paginate: The pagination experssion to apply in the query.

    Returns:
        The list of alert observables matched by the query or an empty list.
    """
    query: QueryExpr = [
        {"_name": "getAlert", "idOrName": alert_id},
        {"_name": "observables"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alert-observables"},
        json={"query": query},
    )

find_comments(alert_id, filters=None, sortby=None, paginate=None)

Find comments related to an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None
sortby	Optional[SortExpr]	The sort expressions to apply in the query.	None
paginate	Optional[Paginate]	The pagination experssion to apply in the query.	None

Returns:

Type	Description
List[OutputComment]	The list of alert comments matched by the query or an empty list.

Source code in thehive4py/endpoints/alert.py

def find_comments(
    self,
    alert_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputComment]:
    """Find comments related to an alert.

    Args:
        alert_id: The id of the alert.
        filters: The filter expressions to apply in the query.
        sortby: The sort expressions to apply in the query.
        paginate: The pagination experssion to apply in the query.

    Returns:
        The list of alert comments matched by the query or an empty list.
    """
    query: QueryExpr = [
        {"_name": "getAlert", "idOrName": alert_id},
        {"_name": "comments"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alert-comments"},
        json={"query": query},
    )

create_procedure(alert_id, procedure)

Create an alert procedure.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
procedure	InputProcedure	The fields of the procedure to create.	required

Returns:

Type	Description
OutputProcedure	The created alert procedure.

Source code in thehive4py/endpoints/alert.py

def create_procedure(
    self, alert_id: str, procedure: InputProcedure
) -> OutputProcedure:
    """Create an alert procedure.

    Args:
        alert_id: The id of the alert.
        procedure: The fields of the procedure to create.

    Returns:
        The created alert procedure.
    """
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/procedure", json=procedure
    )

find_procedures(alert_id, filters=None, sortby=None, paginate=None)

Find procedures related to an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None
sortby	Optional[SortExpr]	The sort expressions to apply in the query.	None
paginate	Optional[Paginate]	The pagination experssion to apply in the query.	None

Returns:

Type	Description
List[OutputProcedure]	The list of alert procedures matched by the query or an empty list.

Source code in thehive4py/endpoints/alert.py

def find_procedures(
    self,
    alert_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputProcedure]:
    """Find procedures related to an alert.

    Args:
        alert_id: The id of the alert.
        filters: The filter expressions to apply in the query.
        sortby: The sort expressions to apply in the query.
        paginate: The pagination experssion to apply in the query.

    Returns:
        The list of alert procedures matched by the query or an empty list.
    """
    query: QueryExpr = [
        {"_name": "getAlert", "idOrName": alert_id},
        {"_name": "procedures"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alert-procedures"},
        json={"query": query},
    )

find_attachments(alert_id, filters=None, sortby=None, paginate=None)

Find attachments related to an alert.

Parameters:

Name	Type	Description	Default
alert_id	str	The id of the alert.	required
filters	Optional[FilterExpr]	The filter expressions to apply in the query.	None
sortby	Optional[SortExpr]	The sort expressions to apply in the query.	None
paginate	Optional[Paginate]	The pagination experssion to apply in the query.	None

Returns:

Type	Description
List[OutputAttachment]	The list of alert attachments matched by the query or an empty list.

Source code in thehive4py/endpoints/alert.py

def find_attachments(
    self,
    alert_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputAttachment]:
    """Find attachments related to an alert.

    Args:
        alert_id: The id of the alert.
        filters: The filter expressions to apply in the query.
        sortby: The sort expressions to apply in the query.
        paginate: The pagination experssion to apply in the query.

    Returns:
        The list of alert attachments matched by the query or an empty list.
    """
    query: QueryExpr = [
        {"_name": "getAlert", "idOrName": alert_id},
        {"_name": "attachments"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "alert-attachments"},
        json={"query": query},
    )

case

CaseId = Union[str, int] module-attribute

CaseEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(case)

Source code in thehive4py/endpoints/case.py

def create(self, case: InputCase) -> OutputCase:
    return self._session.make_request("POST", path="/api/v1/case", json=case)

get(case_id)

Source code in thehive4py/endpoints/case.py

def get(self, case_id: CaseId) -> OutputCase:
    return self._session.make_request("GET", path=f"/api/v1/case/{case_id}")

delete(case_id)

Source code in thehive4py/endpoints/case.py

def delete(self, case_id: CaseId) -> None:
    self._session.make_request("DELETE", path=f"/api/v1/case/{case_id}")

update(case_id, fields={}, **kwargs)

Source code in thehive4py/endpoints/case.py

def update(
    self, case_id: CaseId, fields: Optional[InputUpdateCase] = {}, **kwargs
) -> None:

    if not fields:
        if "case" not in kwargs:
            raise TheHiveError(
                f"Unrecognized keyword arguments: {list(kwargs.keys())}. "
                "Please use the `fields` argument to supply case update values."
            )
        warnings.warn(
            message="The `case` argument has been deprecated to follow the same "
            "convention like other update methods. Please use the `fields` "
            "argument to prevent breaking changes in the future.",
            category=DeprecationWarning,
            stacklevel=2,
        )
        fields = kwargs["case"]

    return self._session.make_request(
        "PATCH", path=f"/api/v1/case/{case_id}", json=fields
    )

bulk_update(fields)

Source code in thehive4py/endpoints/case.py

def bulk_update(self, fields: InputBulkUpdateCase) -> None:
    return self._session.make_request(
        "PATCH", path="/api/v1/case/_bulk", json=fields
    )

merge(case_ids)

Source code in thehive4py/endpoints/case.py

def merge(self, case_ids: Sequence[CaseId]) -> OutputCase:
    case_id_subpath = ",".join([str(case_id) for case_id in case_ids])
    return self._session.make_request(
        "POST", path=f"/api/v1/case/_merge/{case_id_subpath}"
    )

unlink_alert(case_id, alert_id)

Source code in thehive4py/endpoints/case.py

def unlink_alert(self, case_id: str, alert_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/case/{case_id}/alert/{alert_id}"
    )

merge_similar_observables(case_id)

Source code in thehive4py/endpoints/case.py

def merge_similar_observables(self, case_id: CaseId) -> dict:
    # TODO: add better return value type hint
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/observable/_merge"
    )

get_linked_cases(case_id)

Source code in thehive4py/endpoints/case.py

def get_linked_cases(self, case_id: CaseId) -> List[OutputCase]:
    return self._session.make_request("GET", path=f"/api/v1/case/{case_id}/links")

delete_custom_field(custom_field_id)

Source code in thehive4py/endpoints/case.py

def delete_custom_field(self, custom_field_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/case/customField/{custom_field_id}"
    )

import_from_file(import_case, import_path)

Source code in thehive4py/endpoints/case.py

def import_from_file(self, import_case: InputImportCase, import_path: str) -> dict:
    # TODO: add better return type hints
    return self._session.make_request(
        "POST",
        path="/api/v1/case/import",
        data={"_json": jsonlib.dumps(import_case)},
        files={"file": self._fileinfo_from_filepath(import_path)},
    )

export_to_file(case_id, password, export_path)

Source code in thehive4py/endpoints/case.py

def export_to_file(self, case_id: CaseId, password: str, export_path: str) -> None:
    return self._session.make_request(
        "GET",
        path=f"/api/v1/case/{case_id}/export",
        params={"password": password},
        download_path=export_path,
    )

get_timeline(case_id)

Source code in thehive4py/endpoints/case.py

def get_timeline(self, case_id: CaseId) -> OutputTimeline:
    return self._session.make_request("GET", f"/api/v1/case/{case_id}/timeline")

add_attachment(case_id, attachment_paths)

Source code in thehive4py/endpoints/case.py

def add_attachment(
    self, case_id: CaseId, attachment_paths: List[str]
) -> List[OutputAttachment]:
    files = [
        ("attachments", self._fileinfo_from_filepath(attachment_path))
        for attachment_path in attachment_paths
    ]
    return self._session.make_request(
        "POST", f"/api/v1/case/{case_id}/attachments", files=files
    )["attachments"]

download_attachment(case_id, attachment_id, attachment_path)

Source code in thehive4py/endpoints/case.py

def download_attachment(
    self, case_id: CaseId, attachment_id: str, attachment_path: str
) -> None:
    return self._session.make_request(
        "GET",
        path=f"/api/v1/case/{case_id}/attachment/{attachment_id}/download",
        download_path=attachment_path,
    )

delete_attachment(case_id, attachment_id)

Source code in thehive4py/endpoints/case.py

def delete_attachment(self, case_id: CaseId, attachment_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/case/{case_id}/attachment/{attachment_id}"
    )

list_shares(case_id)

Source code in thehive4py/endpoints/case.py

def list_shares(self, case_id: CaseId) -> List[OutputShare]:
    return self._session.make_request("GET", path=f"/api/v1/case/{case_id}/shares")

share(case_id, shares)

Source code in thehive4py/endpoints/case.py

def share(self, case_id: CaseId, shares: List[InputShare]) -> List[OutputShare]:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/shares", json={"shares": shares}
    )

unshare(case_id, organisation_ids)

Source code in thehive4py/endpoints/case.py

def unshare(self, case_id: CaseId, organisation_ids: List[str]) -> None:
    return self._session.make_request(
        "DELETE",
        path=f"/api/v1/case/{case_id}/shares",
        json={"organisations": organisation_ids},
    )

set_share(case_id, shares)

Source code in thehive4py/endpoints/case.py

def set_share(self, case_id: CaseId, shares: List[InputShare]) -> List[OutputShare]:
    return self._session.make_request(
        "PUT", path=f"/api/v1/case/{case_id}/shares", json={"shares": shares}
    )

remove_share(share_id)

Source code in thehive4py/endpoints/case.py

def remove_share(self, share_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/case/share/{share_id}"
    )

update_share(share_id, profile)

Source code in thehive4py/endpoints/case.py

def update_share(self, share_id: str, profile: str) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/case/share/{share_id}", json={"profile": profile}
    )

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputCase]:
    query: QueryExpr = [
        {"_name": "listCase"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "cases"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/case.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listCase"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "cases.count"},
        json={"query": query},
    )

create_task(case_id, task)

Source code in thehive4py/endpoints/case.py

def create_task(self, case_id: CaseId, task: InputTask) -> OutputTask:
    return self._session.make_request(
        "POST",
        path=f"/api/v1/case/{case_id}/task",
        json=task,
    )

find_tasks(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_tasks(
    self,
    case_id: CaseId,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputTask]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "tasks"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-tasks"},
        json={"query": query},
    )

create_observable(case_id, observable, observable_path=None)

Source code in thehive4py/endpoints/case.py

def create_observable(
    self,
    case_id: CaseId,
    observable: InputObservable,
    observable_path: Optional[str] = None,
) -> List[OutputObservable]:
    kwargs = self._build_observable_kwargs(
        observable=observable, observable_path=observable_path
    )
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/observable", **kwargs
    )

find_observables(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_observables(
    self,
    case_id: CaseId,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputObservable]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "observables"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-observables"},
        json={"query": query},
    )

create_procedure(case_id, procedure)

Source code in thehive4py/endpoints/case.py

def create_procedure(
    self, case_id: str, procedure: InputProcedure
) -> OutputProcedure:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/procedure", json=procedure
    )

find_procedures(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_procedures(
    self,
    case_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputProcedure]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "procedures"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-procedures"},
        json={"query": query},
    )

create_page(case_id, page)

Source code in thehive4py/endpoints/case.py

def create_page(self, case_id: str, page: InputCasePage) -> OutputCasePage:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/page", json=page
    )

delete_page(case_id, page_id)

Source code in thehive4py/endpoints/case.py

def delete_page(self, case_id: str, page_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/case/{case_id}/page/{page_id}"
    )

update_page(case_id, page_id, page)

Source code in thehive4py/endpoints/case.py

def update_page(
    self, case_id: str, page_id: str, page: InputUpdateCasePage
) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/case/{case_id}/page/{page_id}", json=page
    )

find_pages(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_pages(
    self,
    case_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputProcedure]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "pages"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-pages"},
        json={"query": query},
    )

find_attachments(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_attachments(
    self,
    case_id: CaseId,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputAttachment]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "attachments"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-attachments"},
        json={"query": query},
    )

find_comments(case_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case.py

def find_comments(
    self,
    case_id: CaseId,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputComment]:
    query: QueryExpr = [
        {"_name": "getCase", "idOrName": case_id},
        {"_name": "comments"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-comments"},
        json={"query": query},
    )

close(case_id, status, summary, impact_status='NotApplicable')

Source code in thehive4py/endpoints/case.py

def close(
    self,
    case_id: CaseId,
    status: CaseStatusValue,
    summary: str,
    impact_status: ImpactStatusValue = "NotApplicable",
) -> None:
    case: InputUpdateCase = {
        "status": status,
        "impactStatus": impact_status,
        "summary": summary,
    }
    return self.update(
        case_id,
        case,
    )

open(case_id, status=CaseStatus.InProgress)

Source code in thehive4py/endpoints/case.py

def open(
    self, case_id: CaseId, status: CaseStatusValue = CaseStatus.InProgress
) -> None:
    case: InputUpdateCase = {"status": status}
    return self.update(case_id, case)

case_template

CaseTemplateEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/case_template.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputCaseTemplate]:
    query: QueryExpr = [
        {"_name": "listCaseTemplate"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        json={"query": query},
        params={"name": "caseTemplate"},
    )

get(case_template_id)

Source code in thehive4py/endpoints/case_template.py

def get(self, case_template_id: str) -> OutputCaseTemplate:
    return self._session.make_request(
        "GET", path=f"/api/v1/caseTemplate/{case_template_id}"
    )

create(case_template)

Source code in thehive4py/endpoints/case_template.py

def create(self, case_template: InputCaseTemplate) -> OutputCaseTemplate:
    return self._session.make_request(
        "POST", path="/api/v1/caseTemplate", json=case_template
    )

delete(case_template_id)

Source code in thehive4py/endpoints/case_template.py

def delete(self, case_template_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/caseTemplate/{case_template_id}"
    )

update(case_template_id, fields)

Source code in thehive4py/endpoints/case_template.py

def update(self, case_template_id: str, fields: InputCaseTemplate) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/caseTemplate/{case_template_id}", json=fields
    )

comment

CommentEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create_in_alert(alert_id, comment)

Source code in thehive4py/endpoints/comment.py

def create_in_alert(self, alert_id: str, comment: InputComment) -> OutputComment:
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/comment", json=comment
    )

create_in_case(case_id, comment)

Source code in thehive4py/endpoints/comment.py

def create_in_case(self, case_id: str, comment: InputComment) -> OutputComment:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/comment", json=comment
    )

get(comment_id)

Source code in thehive4py/endpoints/comment.py

def get(self, comment_id: str) -> OutputComment:
    # TODO: temp implementation until a dedicated get endpoint
    comments = self._session.make_request(
        "POST",
        path="/api/v1/query",
        json={"query": [{"_name": "getComment", "idOrName": comment_id}]},
    )
    try:
        return comments[0]
    except IndexError:
        raise TheHiveError("404 - Comment not found")

delete(comment_id)

Source code in thehive4py/endpoints/comment.py

def delete(self, comment_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/comment/{comment_id}"
    )

update(comment_id, fields)

Source code in thehive4py/endpoints/comment.py

def update(self, comment_id: str, fields: InputUpdateComment) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/comment/{comment_id}", json=fields
    )

cortex

CortexEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create_analyzer_job(job)

Source code in thehive4py/endpoints/cortex.py

def create_analyzer_job(self, job: InputAnalyzerJob) -> OutputAnalyzerJob:
    return self._session.make_request(
        "POST", path="/api/connector/cortex/job", json=job
    )

create_responder_action(action)

Source code in thehive4py/endpoints/cortex.py

def create_responder_action(
    self, action: InputResponderAction
) -> OutputResponderAction:
    return self._session.make_request(
        "POST", path="/api/connector/cortex/action", json=action
    )

list_analyzers(range=None)

Source code in thehive4py/endpoints/cortex.py

def list_analyzers(self, range: Optional[str] = None) -> List[OutputAnalyzer]:
    params = {"range": range}
    return self._session.make_request(
        "GET", path="/api/connector/cortex/analyzer", params=params
    )

list_analyzers_by_type(data_type)

Source code in thehive4py/endpoints/cortex.py

def list_analyzers_by_type(self, data_type: str) -> List[OutputAnalyzer]:
    return self._session.make_request(
        "GET", path=f"/api/connector/cortex/analyzer/type/{data_type}"
    )

get_analyzer(analyzer_id)

Source code in thehive4py/endpoints/cortex.py

def get_analyzer(self, analyzer_id: str) -> OutputAnalyzer:
    return self._session.make_request(
        "GET", path=f"/api/connector/cortex/analyzer/{analyzer_id}"
    )

get_analyzer_job(job_id)

Source code in thehive4py/endpoints/cortex.py

def get_analyzer_job(self, job_id: str) -> OutputAnalyzerJob:
    return self._session.make_request(
        "GET", path=f"/api/connector/cortex/job/{job_id}"
    )

list_responders(entity_type, entity_id)

Source code in thehive4py/endpoints/cortex.py

def list_responders(
    self, entity_type: str, entity_id: str
) -> List[OutputResponder]:
    return self._session.make_request(
        "GET", f"/api/connector/cortex/responder/{entity_type}/{entity_id}"
    )

custom_field

CustomFieldEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(custom_field)

Source code in thehive4py/endpoints/custom_field.py

def create(self, custom_field: InputCustomField) -> OutputCustomField:
    return self._session.make_request(
        "POST", path="/api/v1/customField", json=custom_field
    )

list()

Source code in thehive4py/endpoints/custom_field.py

def list(self) -> List[OutputCustomField]:
    return self._session.make_request("GET", path="/api/v1/customField")

delete(custom_field_id)

Source code in thehive4py/endpoints/custom_field.py

def delete(self, custom_field_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/customField/{custom_field_id}"
    )

update(custom_field_id, fields)

Source code in thehive4py/endpoints/custom_field.py

def update(self, custom_field_id: str, fields: InputUpdateCustomField) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/customField/{custom_field_id}", json=fields
    )

observable

ObservableEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create_in_alert(alert_id, observable, observable_path=None)

Source code in thehive4py/endpoints/observable.py

def create_in_alert(
    self,
    alert_id: str,
    observable: InputObservable,
    observable_path: Optional[str] = None,
) -> List[OutputObservable]:
    kwargs = self._build_observable_kwargs(
        observable=observable, observable_path=observable_path
    )
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/observable", **kwargs
    )

create_in_case(case_id, observable, observable_path=None)

Source code in thehive4py/endpoints/observable.py

def create_in_case(
    self,
    case_id: str,
    observable: InputObservable,
    observable_path: Optional[str] = None,
) -> List[OutputObservable]:
    kwargs = self._build_observable_kwargs(
        observable=observable, observable_path=observable_path
    )
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/observable", **kwargs
    )

get(observable_id)

Source code in thehive4py/endpoints/observable.py

def get(self, observable_id: str) -> OutputObservable:
    return self._session.make_request(
        "GET", path=f"/api/v1/observable/{observable_id}"
    )

delete(observable_id)

Source code in thehive4py/endpoints/observable.py

def delete(self, observable_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/observable/{observable_id}"
    )

update(observable_id, fields)

Source code in thehive4py/endpoints/observable.py

def update(self, observable_id: str, fields: InputUpdateObservable) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/observable/{observable_id}", json=fields
    )

bulk_update(fields)

Source code in thehive4py/endpoints/observable.py

def bulk_update(self, fields: InputBulkUpdateObservable) -> None:
    return self._session.make_request(
        "PATCH", path="/api/v1/observable/_bulk", json=fields
    )

share(observable_id, organisations)

Source code in thehive4py/endpoints/observable.py

def share(self, observable_id: str, organisations: List[str]) -> None:
    return self._session.make_request(
        "POST",
        path=f"/api/v1/observable/{observable_id}/shares",
        json={"organisations": organisations},
    )

unshare(observable_id, organisations)

Source code in thehive4py/endpoints/observable.py

def unshare(self, observable_id: str, organisations: List[str]) -> None:
    return self._session.make_request(
        "DELETE",
        path=f"/api/v1/observable/{observable_id}/shares",
        json={"organisations": organisations},
    )

list_shares(observable_id)

Source code in thehive4py/endpoints/observable.py

def list_shares(self, observable_id: str) -> List[OutputShare]:
    return self._session.make_request(
        "GET", path=f"/api/v1/case/{observable_id}/shares"
    )

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/observable.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputObservable]:
    query: QueryExpr = [
        {"_name": "listObservable"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "observables"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/observable.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listObservable"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "observable.count"},
        json={"query": query},
    )

download_attachment(observable_id, attachment_id, observable_path, as_zip=False)

Source code in thehive4py/endpoints/observable.py

def download_attachment(
    self,
    observable_id: str,
    attachment_id: str,
    observable_path: str,
    as_zip=False,
) -> None:
    return self._session.make_request(
        "GET",
        path=(
            f"/api/v1/observable/{observable_id}"
            f"/attachment/{attachment_id}/download"
        ),
        params={"asZip": as_zip},
        download_path=observable_path,
    )

observable_type

ObservableTypeEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(observable_type)

Source code in thehive4py/endpoints/observable_type.py

def create(self, observable_type: InputObservableType) -> OutputObservableType:
    return self._session.make_request(
        "POST", path="/api/v1/observable/type", json=observable_type
    )

get(observable_type_id)

Source code in thehive4py/endpoints/observable_type.py

def get(self, observable_type_id: str) -> OutputObservableType:
    return self._session.make_request(
        "GET", path=f"/api/v1/observable/type/{observable_type_id}"
    )

delete(observable_type_id)

Source code in thehive4py/endpoints/observable_type.py

def delete(self, observable_type_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/observable/type/{observable_type_id}"
    )

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/observable_type.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputObservableType]:
    query: QueryExpr = [
        {"_name": "listObservableType"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "observableTypes"},
        json={"query": query},
    )

organisation

OrganisationEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(organisation)

Source code in thehive4py/endpoints/organisation.py

def create(self, organisation: InputOrganisation) -> OutputOrganisation:
    return self._session.make_request(
        "POST", path="/api/v1/organisation", json=organisation
    )

get(org_id)

Source code in thehive4py/endpoints/organisation.py

def get(self, org_id: str) -> OutputOrganisation:
    return self._session.make_request("GET", path=f"/api/v1/organisation/{org_id}")

update(org_id, fields)

Source code in thehive4py/endpoints/organisation.py

def update(self, org_id: str, fields: InputUpdateOrganisation) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/organisation/{org_id}", json=fields
    )

delete(org_id)

Source code in thehive4py/endpoints/organisation.py

def delete(self, org_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/organisation/{org_id}"
    )

link(org_id, other_org_id, link)

Source code in thehive4py/endpoints/organisation.py

def link(self, org_id: str, other_org_id: str, link: InputOrganisationLink) -> None:
    return self._session.make_request(
        "PUT", path=f"/api/v1/organisation/{org_id}/link/{other_org_id}", json=link
    )

unlink(org_id, other_org_id)

Source code in thehive4py/endpoints/organisation.py

def unlink(self, org_id: str, other_org_id: str) -> None:
    return self._session.make_request(
        "GET", path=f"/api/v1/organisation/{org_id}/link/{other_org_id}"
    )

list_links(org_id)

Source code in thehive4py/endpoints/organisation.py

def list_links(self, org_id: str) -> List[OutputOrganisation]:
    return self._session.make_request(
        "GET", path=f"/api/v1/organisation/{org_id}/links"
    )

bulk_link(org_id, links)

Source code in thehive4py/endpoints/organisation.py

def bulk_link(self, org_id: str, links: List[InputBulkOrganisationLink]) -> None:
    return self._session.make_request(
        "PUT", path=f"/api/v1/organisation/{org_id}/links", json={"links": links}
    )

list_sharing_profiles()

Source code in thehive4py/endpoints/organisation.py

def list_sharing_profiles(self) -> List[OutputSharingProfile]:
    return self._session.make_request("GET", path="/api/v1/sharingProfile")

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/organisation.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputOrganisation]:
    query: QueryExpr = [
        {"_name": "listOrganisation"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "organisations"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/organisation.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listOrganisation"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "organisations.count"},
        json={"query": query},
    )

procedure

ProcedureEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create_in_alert(alert_id, procedure)

Source code in thehive4py/endpoints/procedure.py

def create_in_alert(
    self, alert_id: str, procedure: InputProcedure
) -> OutputProcedure:
    return self._session.make_request(
        "POST", path=f"/api/v1/alert/{alert_id}/procedure", json=procedure
    )

create_in_case(case_id, procedure)

Source code in thehive4py/endpoints/procedure.py

def create_in_case(
    self, case_id: str, procedure: InputProcedure
) -> OutputProcedure:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/procedure", json=procedure
    )

get(procedure_id)

Source code in thehive4py/endpoints/procedure.py

def get(self, procedure_id: str) -> OutputProcedure:
    # TODO: temp implementation until a dedicated get endpoint
    procedures = self._session.make_request(
        "POST",
        path="/api/v1/query",
        json={"query": [{"_name": "getProcedure", "idOrName": procedure_id}]},
    )
    try:
        return procedures[0]
    except IndexError:
        raise TheHiveError("404 - Procedure not found")

delete(procedure_id)

Source code in thehive4py/endpoints/procedure.py

def delete(self, procedure_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/procedure/{procedure_id}"
    )

update(procedure_id, fields)

Source code in thehive4py/endpoints/procedure.py

def update(self, procedure_id: str, fields: InputUpdateProcedure) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/procedure/{procedure_id}", json=fields
    )

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/procedure.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputProcedure]:
    query: QueryExpr = [
        {"_name": "listProcedure"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "procedures"},
        json={"query": query},
    )

profile

ProfileEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(profile)

Source code in thehive4py/endpoints/profile.py

def create(self, profile: InputProfile) -> OutputProfile:
    return self._session.make_request("POST", path="/api/v1/profile", json=profile)

get(profile_id)

Source code in thehive4py/endpoints/profile.py

def get(self, profile_id: str) -> OutputProfile:
    return self._session.make_request("GET", path=f"/api/v1/profile/{profile_id}")

delete(profile_id)

Source code in thehive4py/endpoints/profile.py

def delete(self, profile_id: str) -> None:
    return self._session.make_request("DELETE", f"/api/v1/profile/{profile_id}")

update(profile_id, fields)

Source code in thehive4py/endpoints/profile.py

def update(self, profile_id: str, fields: InputUpdateProfile) -> None:
    return self._session.make_request(
        "PATCH", f"/api/v1/profile/{profile_id}", json=fields
    )

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/profile.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputProfile]:
    query: QueryExpr = [
        {"_name": "listProfile"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "profiles"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/profile.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listProfile"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "profile.count"},
        json={"query": query},
    )

query

QueryEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

run(query, exclude_fields=[])

Source code in thehive4py/endpoints/query.py

def run(
    self, query: typing.List[dict], exclude_fields: typing.List[str] = []
) -> typing.Any:
    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        json={"query": query, "excludeFields": exclude_fields},
    )

task

TaskEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(case_id, task)

Source code in thehive4py/endpoints/task.py

def create(self, case_id: str, task: InputTask) -> OutputTask:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/task", json=task
    )

get(task_id)

Source code in thehive4py/endpoints/task.py

def get(self, task_id: str) -> OutputTask:
    return self._session.make_request("GET", path=f"/api/v1/task/{task_id}")

delete(task_id)

Source code in thehive4py/endpoints/task.py

def delete(self, task_id: str) -> None:
    return self._session.make_request("DELETE", path=f"/api/v1/task/{task_id}")

update(task_id, fields)

Source code in thehive4py/endpoints/task.py

def update(self, task_id: str, fields: InputUpdateTask) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/task/{task_id}", json=fields
    )

bulk_update(fields)

Source code in thehive4py/endpoints/task.py

def bulk_update(self, fields: InputBulkUpdateTask) -> None:
    return self._session.make_request(
        "PATCH", path="/api/v1/task/_bulk", json=fields
    )

get_required_actions(task_id)

Source code in thehive4py/endpoints/task.py

def get_required_actions(self, task_id: str) -> dict:
    return self._session.make_request(
        "GET", path=f"/api/v1/task/{task_id}/actionRequired"
    )

set_as_required(task_id, org_id)

Source code in thehive4py/endpoints/task.py

def set_as_required(self, task_id: str, org_id: str) -> None:
    return self._session.make_request(
        "PUT", f"/api/v1/task/{task_id}/actionRequired/{org_id}"
    )

set_as_done(task_id, org_id)

Source code in thehive4py/endpoints/task.py

def set_as_done(self, task_id: str, org_id: str) -> None:
    return self._session.make_request(
        "PUT", f"/api/v1/task/{task_id}/actionDone/{org_id}"
    )

share()

Source code in thehive4py/endpoints/task.py

def share(self):
    raise NotImplementedError()

list_shares()

Source code in thehive4py/endpoints/task.py

def list_shares(self):
    raise NotImplementedError()

unshare()

Source code in thehive4py/endpoints/task.py

def unshare(self):
    raise NotImplementedError()

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/task.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputTask]:
    query: QueryExpr = [
        {"_name": "listTask"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "tasks"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/task.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listTask"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "task.count"},
        json={"query": query},
    )

create_log(task_id, task_log)

Source code in thehive4py/endpoints/task.py

def create_log(self, task_id: str, task_log: InputTaskLog) -> OutputTaskLog:
    return self._session.make_request(
        "POST", path=f"/api/v1/task/{task_id}/log", json=task_log
    )

find_logs(task_id, filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/task.py

def find_logs(
    self,
    task_id: str,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputTaskLog]:
    query: QueryExpr = [
        {"_name": "getTask", "idOrName": task_id},
        {"_name": "logs"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "case-task-logs"},
        json={"query": query},
    )

task_log

TaskLogEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(task_id, task_log)

Source code in thehive4py/endpoints/task_log.py

def create(self, task_id: str, task_log: InputTaskLog) -> OutputTaskLog:
    return self._session.make_request(
        "POST", path=f"/api/v1/task/{task_id}/log", json=task_log
    )

get(task_log_id)

Source code in thehive4py/endpoints/task_log.py

def get(self, task_log_id: str) -> OutputTaskLog:
    # TODO: temp implementation until a dedicated get endpoint
    logs = self._session.make_request(
        "POST",
        path="/api/v1/query",
        json={"query": [{"_name": "getLog", "idOrName": task_log_id}]},
    )

    try:
        return logs[0]
    except IndexError:
        raise TheHiveError("404 - Task Log Not Found")

delete(task_log_id)

Source code in thehive4py/endpoints/task_log.py

def delete(self, task_log_id: str) -> None:
    return self._session.make_request("DELETE", path=f"/api/v1/log/{task_log_id}")

update(task_log_id, fields)

Source code in thehive4py/endpoints/task_log.py

def update(self, task_log_id: str, fields: InputUpdateTaskLog) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/log/{task_log_id}", json=fields
    )

add_attachments(task_log_id, attachment_paths)

Source code in thehive4py/endpoints/task_log.py

def add_attachments(self, task_log_id: str, attachment_paths: List[str]) -> None:
    files = [
        ("attachments", self._fileinfo_from_filepath(attachment_path))
        for attachment_path in attachment_paths
    ]
    return self._session.make_request(
        "POST", f"/api/v1/log/{task_log_id}/attachments", files=files
    )

delete_attachment(task_log_id, attachment_id)

Source code in thehive4py/endpoints/task_log.py

def delete_attachment(self, task_log_id: str, attachment_id: str) -> None:
    return self._session.make_request(
        "DELETE", f"/api/v1/log/{task_log_id}/attachments/{attachment_id}"
    )

timeline

TimelineEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

get(case_id)

Source code in thehive4py/endpoints/timeline.py

def get(self, case_id: str) -> OutputTimeline:
    return self._session.make_request("GET", f"/api/v1/case/{case_id}/timeline")

create_event(case_id, event)

Source code in thehive4py/endpoints/timeline.py

def create_event(self, case_id: str, event: InputCustomEvent) -> OutputCustomEvent:
    return self._session.make_request(
        "POST", path=f"/api/v1/case/{case_id}/customEvent", json=event
    )

delete_event(event_id)

Source code in thehive4py/endpoints/timeline.py

def delete_event(self, event_id: str) -> None:
    return self._session.make_request(
        "DELETE", path=f"/api/v1/customEvent/{event_id}"
    )

update_event(event_id, fields)

Source code in thehive4py/endpoints/timeline.py

def update_event(self, event_id: str, fields: InputUpdateCustomEvent) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/customEvent/{event_id}", json=fields
    )

user

UserEndpoint(session)

Bases: EndpointBase

Source code in thehive4py/endpoints/_base.py

def __init__(self, session: TheHiveSession):
    self._session = session

create(user)

Source code in thehive4py/endpoints/user.py

def create(self, user: InputUser) -> OutputUser:
    return self._session.make_request("POST", path="/api/v1/user", json=user)

get(user_id)

Source code in thehive4py/endpoints/user.py

def get(self, user_id: str) -> OutputUser:
    return self._session.make_request("GET", path=f"/api/v1/user/{user_id}")

get_current()

Source code in thehive4py/endpoints/user.py

def get_current(self) -> OutputUser:
    return self._session.make_request("GET", path="/api/v1/user/current")

delete(user_id, organisation=None)

Source code in thehive4py/endpoints/user.py

def delete(self, user_id: str, organisation: Optional[str] = None) -> None:
    return self._session.make_request(
        "DELETE",
        path=f"/api/v1/user/{user_id}/force",
        params={"organisation": organisation},
    )

update(user_id, fields)

Source code in thehive4py/endpoints/user.py

def update(self, user_id: str, fields: InputUpdateUser) -> None:
    return self._session.make_request(
        "PATCH", path=f"/api/v1/user/{user_id}", json=fields
    )

lock(user_id)

Source code in thehive4py/endpoints/user.py

def lock(self, user_id: str) -> None:
    return self.update(user_id=user_id, fields={"locked": True})

unlock(user_id)

Source code in thehive4py/endpoints/user.py

def unlock(self, user_id: str) -> None:
    return self.update(user_id=user_id, fields={"locked": False})

set_organisations(user_id, organisations)

Source code in thehive4py/endpoints/user.py

def set_organisations(
    self, user_id: str, organisations: List[InputUserOrganisation]
) -> List[OutputUserOrganisation]:
    return self._session.make_request(
        "PUT",
        path=f"/api/v1/user/{user_id}/organisations",
        json={"organisations": organisations},
    )["organisations"]

set_password(user_id, password)

Source code in thehive4py/endpoints/user.py

def set_password(self, user_id: str, password: str) -> None:
    return self._session.make_request(
        "POST",
        path=f"/api/v1/user/{user_id}/password/set",
        json={"password": password},
    )

get_apikey(user_id)

Source code in thehive4py/endpoints/user.py

def get_apikey(self, user_id: str) -> str:
    return self._session.make_request("GET", path=f"/api/v1/user/{user_id}/key")

remove_apikey(user_id)

Source code in thehive4py/endpoints/user.py

def remove_apikey(self, user_id: str) -> None:
    return self._session.make_request("DELETE", path=f"/api/v1/user/{user_id}/key")

renew_apikey(user_id)

Source code in thehive4py/endpoints/user.py

def renew_apikey(self, user_id: str) -> str:
    return self._session.make_request(
        "POST", path=f"/api/v1/user/{user_id}/key/renew"
    )

get_avatar(user_id)

Source code in thehive4py/endpoints/user.py

def get_avatar(self, user_id: str):
    # TODO: implement the avatar download
    raise NotImplementedError()

find(filters=None, sortby=None, paginate=None)

Source code in thehive4py/endpoints/user.py

def find(
    self,
    filters: Optional[FilterExpr] = None,
    sortby: Optional[SortExpr] = None,
    paginate: Optional[Paginate] = None,
) -> List[OutputUser]:
    query: QueryExpr = [
        {"_name": "listUser"},
        *self._build_subquery(filters=filters, sortby=sortby, paginate=paginate),
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "users"},
        json={"query": query},
    )

count(filters=None)

Source code in thehive4py/endpoints/user.py

def count(self, filters: Optional[FilterExpr] = None) -> int:
    query: QueryExpr = [
        {"_name": "listUser"},
        *self._build_subquery(filters=filters),
        {"_name": "count"},
    ]

    return self._session.make_request(
        "POST",
        path="/api/v1/query",
        params={"name": "cases.count"},
        json={"query": query},
    )

types

alert

InputAlertRequired

Bases: TypedDict

type instance-attribute

source instance-attribute

sourceRef instance-attribute

title instance-attribute

description instance-attribute

InputAlert

Bases: InputAlertRequired

date instance-attribute

externalLink instance-attribute

severity instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

customFields instance-attribute

summary instance-attribute

status instance-attribute

assignee instance-attribute

caseTemplate instance-attribute

observables instance-attribute

procedures instance-attribute

OutputAlertRequired

Bases: TypedDict

type instance-attribute

source instance-attribute

sourceRef instance-attribute

title instance-attribute

description instance-attribute

severity instance-attribute

severityLabel instance-attribute

date instance-attribute

tlp instance-attribute

tlpLabel instance-attribute

pap instance-attribute

papLabel instance-attribute

follow instance-attribute

observableCount instance-attribute

status instance-attribute

stage instance-attribute

extraData instance-attribute

newDate instance-attribute

timeToDetect instance-attribute

OutputAlert

Bases: OutputAlertRequired

externalLink instance-attribute

tags instance-attribute

customFields instance-attribute

caseTemplate instance-attribute

caseId instance-attribute

assignee instance-attribute

summary instance-attribute

inProgressDate instance-attribute

closedDate instance-attribute

importedDate instance-attribute

timeToTriage instance-attribute

timeToQualify instance-attribute

timeToAcknowledge instance-attribute

InputUpdateAlert

Bases: TypedDict

type instance-attribute

source instance-attribute

sourceRef instance-attribute

externalLink instance-attribute

title instance-attribute

description instance-attribute

severity instance-attribute

date instance-attribute

lastSyncDate instance-attribute

tags instance-attribute

tlp instance-attribute

pap instance-attribute

follow instance-attribute

customFields instance-attribute

status instance-attribute

summary instance-attribute

assignee instance-attribute

addTags instance-attribute

removeTags instance-attribute

InputBulkUpdateAlert

Bases: InputUpdateAlert

ids instance-attribute

InputPromoteAlert

Bases: TypedDict

title instance-attribute

description instance-attribute

severity instance-attribute

startDate instance-attribute

endDate instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

status instance-attribute

summary instance-attribute

assignee instance-attribute

customFields instance-attribute

caseTemplate instance-attribute

tasks instance-attribute

pages instance-attribute

sharingParameters instance-attribute

taskRule instance-attribute

observableRule instance-attribute

attachment

OutputAttachmentRequired

Bases: TypedDict

name instance-attribute

size instance-attribute

contentType instance-attribute

id instance-attribute

OutputAttachment

Bases: OutputAttachmentRequired

hashes instance-attribute

case

CaseStatusValue = Literal['New', 'InProgress', 'Indeterminate', 'FalsePositive', 'TruePositive', 'Other', 'Duplicated'] module-attribute

ImpactStatusValue = Literal['NotApplicable', 'WithImpact', 'NoImpact'] module-attribute

CaseStatus

New = 'New' class-attribute instance-attribute

InProgress = 'InProgress' class-attribute instance-attribute

Indeterminate = 'Indeterminate' class-attribute instance-attribute

FalsePositive = 'FalsePositive' class-attribute instance-attribute

TruePositive = 'TruePositive' class-attribute instance-attribute

Other = 'Other' class-attribute instance-attribute

Duplicated = 'Duplicated' class-attribute instance-attribute

ImpactStatus

NotApplicable = 'NotApplicable' class-attribute instance-attribute

WithImpact = 'WithImpact' class-attribute instance-attribute

NoImpact = 'NoImpact' class-attribute instance-attribute

InputCaseRequired

Bases: TypedDict

title instance-attribute

description instance-attribute

InputCase

Bases: InputCaseRequired

severity instance-attribute

startDate instance-attribute

endDate instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

status instance-attribute

summary instance-attribute

assignee instance-attribute

customFields instance-attribute

caseTemplate instance-attribute

tasks instance-attribute

pages instance-attribute

sharingParameters instance-attribute

taskRule instance-attribute

observableRule instance-attribute

OutputCaseRequired

Bases: TypedDict

number instance-attribute

title instance-attribute

description instance-attribute

severity instance-attribute

severityLabel instance-attribute

startDate instance-attribute

flag instance-attribute

tlp instance-attribute

tlpLabel instance-attribute

pap instance-attribute

papLabel instance-attribute

status instance-attribute

stage instance-attribute

extraData instance-attribute

newDate instance-attribute

timeToDetect instance-attribute

OutputCase

Bases: OutputCaseRequired

endDate instance-attribute

tags instance-attribute

summary instance-attribute

impactStatus instance-attribute

assignee instance-attribute

customFields instance-attribute

userPermissions instance-attribute

inProgressDate instance-attribute

closedDate instance-attribute

alertDate instance-attribute

alertNewDate instance-attribute

alertInProgressDate instance-attribute

alertImportedDate instance-attribute

timeToTriage instance-attribute

timeToQualify instance-attribute

timeToAcknowledge instance-attribute

timeToResolve instance-attribute

handlingDuration instance-attribute

InputUpdateCase

Bases: TypedDict

title instance-attribute

description instance-attribute

severity instance-attribute

startDate instance-attribute

endDate instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

status instance-attribute

summary instance-attribute

assignee instance-attribute

impactStatus instance-attribute

customFields instance-attribute

taskRule instance-attribute

observableRule instance-attribute

addTags instance-attribute

removeTags instance-attribute

InputBulkUpdateCase

Bases: InputUpdateCase

ids instance-attribute

InputImportCaseRequired

Bases: TypedDict

password instance-attribute

InputImportCase

Bases: InputImportCaseRequired

sharingParameters instance-attribute

taskRule instance-attribute

observableRule instance-attribute

case_template

SeverityValue = Literal[1, 2, 3, 4] module-attribute

TlpValue = Literal[0, 1, 2, 3, 4] module-attribute

PapValue = Literal[0, 1, 2, 3] module-attribute

InputCaseTemplateRequired

Bases: TypedDict

name instance-attribute

InputCaseTemplate

Bases: InputCaseTemplateRequired

displayName instance-attribute

titlePrefix instance-attribute

description instance-attribute

severity instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

summary instance-attribute

tasks instance-attribute

pageTemplateIds instance-attribute

customFields instance-attribute

OutputCaseTemplateRequired

Bases: TypedDict

name instance-attribute

OutputCaseTemplate

Bases: OutputCaseTemplateRequired

displayName instance-attribute

titlePrefix instance-attribute

description instance-attribute

severity instance-attribute

tags instance-attribute

flag instance-attribute

tlp instance-attribute

pap instance-attribute

summary instance-attribute

tasks instance-attribute

pageTemplateIds instance-attribute

customFields instance-attribute

comment

InputComment

Bases: TypedDict

message instance-attribute

OutputCommentRequired

Bases: TypedDict

createdBy instance-attribute

createdAt instance-attribute

message instance-attribute

isEdited instance-attribute

OutputComment

Bases: OutputCommentRequired

updatedAt instance-attribute

InputUpdateComment

Bases: TypedDict

message instance-attribute

cortex

OutputAnalyzerRequired

Bases: TypedDict

id instance-attribute

name instance-attribute

version instance-attribute

description instance-attribute

OutputAnalyzer

Bases: OutputAnalyzerRequired

dataTypeList instance-attribute

cortexIds instance-attribute

OutputResponderRequired

Bases: TypedDict

id instance-attribute

name instance-attribute

version instance-attribute

description instance-attribute

OutputResponder

Bases: OutputResponderRequired

dataTypeList instance-attribute

cortexIds instance-attribute

OutputAnalyzerJobRequired

Bases: TypedDict

analyzerId instance-attribute

analyzerName instance-attribute

analyzerDefinition instance-attribute

status instance-attribute

startDate instance-attribute

cortexId instance-attribute

cortexJobId instance-attribute

id instance-attribute

operations instance-attribute

OutputAnalyzerJob

Bases: TypedDict

endDate instance-attribute

report instance-attribute

case_artifact instance-attribute

OutputResponderActionRequired

Bases: TypedDict

responderId instance-attribute

status instance-attribute

startDate instance-attribute

cortexId instance-attribute

cortexJobId instance-attribute

id instance-attribute

operations instance-attribute

OutputResponderAction

Bases: OutputResponderActionRequired

endDate instance-attribute

report instance-attribute

responderName instance-attribute

responderDefinition instance-attribute

InputResponderActionRequired

Bases: TypedDict

objectId instance-attribute

objectType instance-attribute

responderId instance-attribute

InputResponderAction

Bases: InputResponderActionRequired

parameters instance-attribute

tlp instance-attribute

InputAnalyzerJobRequired

Bases: TypedDict

analyzerId instance-attribute

cortexId instance-attribute

observableId instance-attribute

InputAnalyzerJob

Bases: InputAnalyzerJobRequired

parameters instance-attribute

custom_field

InputCustomFieldValueRequired

Bases: TypedDict

name instance-attribute

InputCustomFieldValue

Bases: InputCustomFieldValueRequired

value instance-attribute

order instance-attribute

OutputCustomFieldValue

Bases: TypedDict

name instance-attribute

description instance-attribute

type instance-attribute

value instance-attribute

order instance-attribute

InputCustomFieldRequired

Bases: TypedDict

name instance-attribute

group instance-attribute

description instance-attribute

type instance-attribute

InputCustomField

Bases: InputCustomFieldRequired

displayName instance-attribute

mandatory instance-attribute

options instance-attribute

OutputCustomFieldRequired

Bases: TypedDict

name instance-attribute

displayName instance-attribute

group instance-attribute

description instance-attribute

type instance-attribute

mandatory instance-attribute

OutputCustomField

Bases: OutputCustomFieldRequired

options instance-attribute

InputUpdateCustomField

Bases: TypedDict

displayName instance-attribute

group instance-attribute

description instance-attribute

type instance-attribute

options instance-attribute

mandatory instance-attribute

observable

InputObservableRequired

Bases: TypedDict

dataType instance-attribute

InputObservable

Bases: InputObservableRequired

data instance-attribute

message instance-attribute

startDate instance-attribute

tlp instance-attribute

pap instance-attribute

tags instance-attribute

ioc instance-attribute

sighted instance-attribute

sightedAt instance-attribute

ignoreSimilarity instance-attribute

isZip instance-attribute

zipPassword instance-attribute

attachment instance-attribute

OutputObservableRequired

Bases: TypedDict

dataType instance-attribute

startDate instance-attribute

tlp instance-attribute

pap instance-attribute

ioc instance-attribute

sighted instance-attribute

reports instance-attribute

extraData instance-attribute

ignoreSimilarity instance-attribute

OutputObservable

Bases: OutputObservableRequired

data instance-attribute

attachment instance-attribute

tags instance-attribute

sightedAt instance-attribute

message instance-attribute

InputUpdateObservable

Bases: TypedDict

dataType instance-attribute

message instance-attribute

tlp instance-attribute

pap instance-attribute

tags instance-attribute

ioc instance-attribute

sighted instance-attribute

sightedAt instance-attribute

ignoreSimilarity instance-attribute

InputBulkUpdateObservable

Bases: InputUpdateObservable

ids instance-attribute

observable_type

InputObservableTypeRequired

Bases: TypedDict

name instance-attribute

InputObservableType

Bases: InputObservableTypeRequired

isAttachment instance-attribute

OutputObservableTypeRequired

Bases: TypedDict

name instance-attribute

isAttachment instance-attribute

OutputObservableType

Bases: OutputObservableTypeRequired

organisation

InputOrganisationLink

Bases: TypedDict

linkType instance-attribute

otherLinkType instance-attribute

InputBulkOrganisationLink

Bases: TypedDict

toOrganisation instance-attribute

linkType instance-attribute

otherLinkType instance-attribute

OutputSharingProfile

Bases: TypedDict

name instance-attribute

description instance-attribute

autoShare instance-attribute

editable instance-attribute

permissionProfile instance-attribute

taskRule instance-attribute

observableRule instance-attribute

InputOrganisationRequired

Bases: TypedDict

name instance-attribute

description instance-attribute

InputOrganisation

Bases: InputOrganisationRequired

taskRule instance-attribute

observableRule instance-attribute

locked instance-attribute

OutputOrganisationRequired

Bases: TypedDict

name instance-attribute

description instance-attribute

taskRule instance-attribute

observableRule instance-attribute

locked instance-attribute

extraData instance-attribute

OutputOrganisation

Bases: OutputOrganisationRequired

links instance-attribute

avatar instance-attribute

InputUpdateOrganisation

Bases: TypedDict

name instance-attribute

description instance-attribute

taskRule instance-attribute

observableRule instance-attribute

locked instance-attribute

avatar instance-attribute

page

InputCasePageRequired

Bases: TypedDict

title instance-attribute

content instance-attribute

category instance-attribute

InputCasePage

Bases: InputCasePageRequired

order instance-attribute

OutputCasePageRequired

Bases: TypedDict

id instance-attribute

createdBy instance-attribute

createdAt instance-attribute

title instance-attribute

content instance-attribute

slug instance-attribute

order instance-attribute

category instance-attribute

OutputCasePage

Bases: OutputCasePageRequired

updatedBy instance-attribute

updatedAt instance-attribute

InputUpdateCasePage

Bases: TypedDict

title instance-attribute

content instance-attribute

category instance-attribute

order instance-attribute

procedure

InputProcedureRequired

Bases: TypedDict

occurDate instance-attribute

patternId instance-attribute

InputProcedure

Bases: InputProcedureRequired

tactic instance-attribute

description instance-attribute

OutputProcedureRequired

Bases: TypedDict

occurDate instance-attribute

tactic instance-attribute

tacticLabel instance-attribute

extraData instance-attribute

OutputProcedure

Bases: OutputProcedureRequired

description instance-attribute

patternId instance-attribute

patternName instance-attribute

InputUpdateProcedure

Bases: TypedDict

description instance-attribute

occurDate instance-attribute

profile

InputProfileRequired

Bases: TypedDict

name instance-attribute

InputProfile

Bases: InputProfileRequired

permissions instance-attribute

OutputProfileRequired

Bases: TypedDict

name instance-attribute

editable instance-attribute

isAdmin instance-attribute

OutputProfile

Bases: OutputProfileRequired

permissions instance-attribute

InputUpdateProfile

Bases: TypedDict

name instance-attribute

permissions instance-attribute

share

OutputShareRequired

Bases: TypedDict

caseId instance-attribute

profileName instance-attribute

organisationName instance-attribute

owner instance-attribute

taskRule instance-attribute

observableRule instance-attribute

OutputShare

Bases: OutputShareRequired

InputShareRequired

Bases: TypedDict

organisation instance-attribute

InputShare

Bases: InputShareRequired

share instance-attribute

profile instance-attribute

taskRule instance-attribute

observableRule instance-attribute

task

InputTaskRequired

Bases: TypedDict

title instance-attribute

InputTask

Bases: InputTaskRequired

group instance-attribute

description instance-attribute

status instance-attribute

flag instance-attribute

startDate instance-attribute

endDate instance-attribute

order instance-attribute

dueDate instance-attribute

assignee instance-attribute

mandatory instance-attribute

OutputTaskRequired

Bases: TypedDict

title instance-attribute

group instance-attribute

status instance-attribute

flag instance-attribute

order instance-attribute

mandatory instance-attribute

extraData instance-attribute

OutputTask

Bases: OutputTaskRequired

description instance-attribute

startDate instance-attribute

endDate instance-attribute

assignee instance-attribute

dueDate instance-attribute

InputUpdateTask

Bases: TypedDict

title instance-attribute

group instance-attribute

description instance-attribute

status instance-attribute

flag instance-attribute

startDate instance-attribute

endDate instance-attribute

order instance-attribute

dueDate instance-attribute

assignee instance-attribute

mandatory instance-attribute

InputBulkUpdateTask

Bases: InputUpdateTask

ids instance-attribute

task_log

InputTaskLogRequired

Bases: TypedDict

message instance-attribute

InputTaskLog

Bases: InputTaskLogRequired

startDate instance-attribute

includeInTimeline instance-attribute

OutputTaskLogRequired

Bases: TypedDict

message instance-attribute

date instance-attribute

owner instance-attribute

extraData instance-attribute

OutputTaskLog

Bases: OutputTaskLogRequired

attachments instance-attribute

includeInTimeline instance-attribute

InputUpdateTaskLog

Bases: TypedDict

message instance-attribute

includeInTimeline instance-attribute

timeline

OutputTimelineEventRequired

Bases: TypedDict

date instance-attribute

kind instance-attribute

entity instance-attribute

entityId instance-attribute

details instance-attribute

OutputTimelineEvent

Bases: OutputTimelineEventRequired

endDate instance-attribute

OutputTimeline

Bases: TypedDict

events instance-attribute

InputCustomEventRequired

Bases: TypedDict

date instance-attribute

title instance-attribute

InputCustomEvent

Bases: InputCustomEventRequired

endDate instance-attribute

description instance-attribute

OutputCustomEventRequired

Bases: TypedDict

date instance-attribute

title instance-attribute

OutputCustomEvent

Bases: OutputCustomEventRequired

endDate instance-attribute

description instance-attribute

InputUpdateCustomEvent

Bases: TypedDict

date instance-attribute

endDate instance-attribute

title instance-attribute

description instance-attribute

user

InputUserRequired

Bases: TypedDict

login instance-attribute

name instance-attribute

profile instance-attribute

InputUser

Bases: InputUserRequired

email instance-attribute

password instance-attribute

organisation instance-attribute

type instance-attribute

OutputOrganisationProfile

Bases: TypedDict

organisationId instance-attribute

organisation instance-attribute

profile instance-attribute

OutputUserRequired

Bases: TypedDict

login instance-attribute

name instance-attribute

hasKey instance-attribute

hasPassword instance-attribute

hasMFA instance-attribute

locked instance-attribute

profile instance-attribute

organisation instance-attribute

type instance-attribute

extraData instance-attribute

OutputUser

Bases: OutputUserRequired

email instance-attribute

permissions instance-attribute

avatar instance-attribute

organisations instance-attribute

defaultOrganisation instance-attribute

InputUpdateUser

Bases: TypedDict

name instance-attribute

organisation instance-attribute

profile instance-attribute

locked instance-attribute

avatar instance-attribute

email instance-attribute

defaultOrganisation instance-attribute

InputUserOrganisationRequired

Bases: TypedDict

organisation instance-attribute

profile instance-attribute

InputUserOrganisation

Bases: InputUserOrganisationRequired

default instance-attribute

OutputUserOrganisation

Bases: TypedDict

organisation instance-attribute

profile instance-attribute

default instance-attribute

query

QueryExpr = List[Union[_FilterExpr, _SortExpr, Paginate, dict]] module-attribute

filters

FilterExpr = _Union['_FilterBase', dict] module-attribute

Lt(field, value)

Bases: _FilterBase

Field less than value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_lt={"_field": field, "_value": value})

Gt(field, value)

Bases: _FilterBase

Field greater than value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_gt={"_field": field, "_value": value})

Lte(field, value)

Bases: _FilterBase

Field less than or equal value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_lte={"_field": field, "_value": value})

Gte(field, value)

Bases: _FilterBase

Field less than or equal value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_gte={"_field": field, "_value": value})

Ne(field, value)

Bases: _FilterBase

Field not equal value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_ne={"_field": field, "_value": value})

Eq(field, value)

Bases: _FilterBase

Field equal value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: _Any):
    super().__init__(_eq={"_field": field, "_value": value})

StartsWith(field, value)

Bases: _FilterBase

Field starts with value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: str):
    super().__init__(_startsWith={"_field": field, "_value": value})

EndsWith(field, value)

Bases: _FilterBase

Field ends with value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: str):
    super().__init__(_endsWith={"_field": field, "_value": value})

Id(id)

Bases: _FilterBase

FIlter by ID.

Source code in thehive4py/query/filters.py

def __init__(self, id: str):
    super().__init__(_id=id)

Between(field, start, end)

Bases: _FilterBase

Field between inclusive from and exclusive to values.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, start: int, end: int):
    super().__init__(_between={"_field": field, "_from": start, "_to": end})

In(field, values)

Bases: _FilterBase

Field is one of the values.

Source code in thehive4py/query/filters.py

def __init__(self, field: _Any, values: list):
    super().__init__(_in={"_field": field, "_values": values})

Contains(field)

Bases: _FilterBase

Object contains the field.

Source code in thehive4py/query/filters.py

def __init__(self, field: str):
    warnings.warn(
        message="The `Contains` filter has been deprecated. "
        "Please use the `Has` filter to prevent breaking "
        "changes in the future.",
        category=DeprecationWarning,
        stacklevel=2,
    )
    super().__init__(_contains=field)

Has(field)

Bases: _FilterBase

Object contains the field.

Source code in thehive4py/query/filters.py

def __init__(self, field: str):
    super().__init__(_has=field)

Like(field, value)

Bases: _FilterBase

Field contains the value.

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: str):
    super().__init__(_like={"_field": field, "_value": value})

Match(field, value)

Bases: _FilterBase

Field contains the value

Source code in thehive4py/query/filters.py

def __init__(self, field: str, value: str):
    super().__init__(_match={"_field": field, "_value": value})

page

Paginate(start, end, extra_data=[])

Bases: UserDict

Source code in thehive4py/query/page.py

def __init__(self, start: int, end: int, extra_data=[]):
    super().__init__({"from": start, "to": end, "extraData": extra_data})

sort

SortExpr

Bases: UserDict

Base class for sort expressions.

__and__(other)

Source code in thehive4py/query/sort.py

def __and__(self, other: "SortExpr") -> "SortExpr":
    return self._concat_expressions("&", self, other)

__or__(other)

Source code in thehive4py/query/sort.py

def __or__(self, other: "SortExpr") -> "SortExpr":  # type:ignore
    return self._concat_expressions("|", self, other)

Asc(field)

Bases: SortExpr

Source code in thehive4py/query/sort.py

def __init__(self, field: str):
    super().__init__(_fields=[{field: "asc"}])

Desc(field)

Bases: SortExpr

Source code in thehive4py/query/sort.py

def __init__(self, field: str):
    super().__init__(_fields=[{field: "desc"}])

errors

TheHiveError(message, response=None, *args, **kwargs)

Bases: Exception

Base error class of thehive4py.

Parameters:

Name	Type	Description	Default
message	str	The exception message.	required
response	Optional[Response]	Either None, or a Response object of a failed request.	None

Source code in thehive4py/errors.py

def __init__(
    self, message: str, response: Optional[Response] = None, *args, **kwargs
):
    """Base error class of thehive4py.

    Args:
        message: The exception message.
        response: Either `None`, or a `Response` object of a failed request.
    """
    super().__init__(message, *args, **kwargs)
    self.message = message
    self.response = response

message = message instance-attribute

response = response instance-attribute