Models#
#
Alert
#
Model class describing an alert as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Alert's id. Default: None |
required |
tlp |
Enum |
Alert's TLP: |
required |
pap |
Enum |
Alert's PAP: |
required |
severity |
Enum |
Alert's severity: |
required |
date |
datetime |
Alert's occur date. Default: |
required |
tags |
str[] |
List of alert tags. Default: |
required |
title |
str |
Alert's description. Default: None |
required |
type |
str |
Alert's type. Default: None |
required |
source |
str |
Alert's source. Default: None |
required |
sourceRef |
str |
Alert's source reference. Used to specify the unique identifier of the alert. Default: None |
required |
externalLink |
str |
Alert's external link. Used to easily navigate to the source of the alert. Default: None |
required |
description |
str |
Alert's description. Default: None |
required |
customFields |
CustomField[] |
A set of CustomField instances, or the result of a CustomFieldHelper.build() method. Default: |
required |
caseTemplate |
str |
Alert template's name. Default: |
required |
json |
JSON |
If the field is not equal to None, the Alert is instantiated using the JSON value instead of the arguements |
required |
Warning
pap, externalLink attributes are available in TheHive 4 ONLY
AlertArtifact
#
Model class describing a alert observable as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
dataType |
str |
Observable's type, must be a valid type, one of the defined data types in TheHive. Default: None |
required |
message |
str |
Observable's description. Default: None |
required |
tlp |
Enum |
Case's TLP: |
required |
ioc |
bool |
Observable's ioc flag, |
required |
sighted |
bool |
Observable's sighted flag, |
required |
ignoreSimilarity |
bool |
Observable's similarity ignore flag. |
required |
tags |
str[] |
List of observable tags. Default: |
required |
data |
str | (file, str |
Observable's data:
|
required |
json |
JSON |
If the field is not equal to None, the observable is instantiated using the JSON value instead of the arguements |
required |
Warning
ignoreSimilarity attribute is available in TheHive 4 ONLY
Case
#
Model class describing a case as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Case's id. Default: None |
required |
title |
str |
Case's description. Default: None |
required |
description |
str |
Case's description. Default: None |
required |
tlp |
Enum |
Case's TLP: |
required |
pap |
Enum |
Case's PAP: |
required |
severity |
Enum |
Case's severity: |
required |
flag |
bool |
Case's flag, |
required |
tags |
str[] |
List of case tags. Default: |
required |
startDate |
datetime |
Case's start date, the date the case occured. Default: |
required |
template |
str |
Case template's name. If specified then the case is created using the given template. Default: |
required |
owner |
str |
Case's assignee. Default: |
required |
metrics |
JSON |
Case metrics collection. A JSON object where keys are defining metric name, and values are defining metric value. Default: |
required |
customFields |
CustomField[] |
A set of CustomField instances, or the result of a CustomFieldHelper.build() method. Default: |
required |
tasks |
JSON[] / CaseTask[] |
Set of taks, defined either as JSON objects or CaseTask instances |
required |
json |
JSON |
If the field is not equal to None, the case is instantiated using the JSON value instead of the arguements |
required |
Warning
The metrics field is available in TheHive 3 only
CaseHelper
#
Provides helper methods for interacting with instances of the Case class.
__call__(self, id)
special
#
Return an instance of Case with the given case ID. :param id: ID of a case to retrieve.
__init__(self, thehive)
special
#
Initialize a CaseHelper instance. :param thehive: A TheHiveApi instance.
create(self, title, description, **kwargs)
#
Create an instance of the Case class. :param title: Case title. :param description: Case description. :param kwargs: Additional arguments.
:return: The created instance.
status_ok(status_code)
staticmethod
#
Check whether a status code is OK
update(self, case_id, **attributes)
#
Update a case. :param case_id: The ID of the case to update :param attributes: key=value pairs of case attributes to update (field=new_value)
:return: The created instance.
CaseObservable
#
Model class describing a case observable as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Observable's id. Default: None |
required |
dataType |
str |
Observable's type, must be a valid type, one of the defined data types in TheHive. Default: None |
required |
message |
str |
Observable's description. Default: None |
required |
tlp |
Enum |
Case's TLP: |
required |
pap |
Enum |
Case's PAP: |
required |
ioc |
bool |
Observable's ioc flag, |
required |
sighted |
bool |
Observable's sighted flag, |
required |
ignoreSimilarity |
bool |
Observable's similarity ignore flag. |
required |
tags |
str[] |
List of observable tags. Default: |
required |
data |
str | (file, str |
Observable's data:
|
required |
json |
JSON |
If the field is not equal to None, the observable is instantiated using the JSON value instead of the arguements |
required |
Warning
At least, one of tags or message are required. You cannot create an observable without specifying one of those fields
Warning
ignoreSimilarity attribute is available in TheHive 4 ONLY
CaseStatus
#
Enumeration representing case statuses
Possible values: OPEN, RESOLVED, DELETED, DUPLICATE
CaseTask
#
Model class describing a case task as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Task's id. Default: None |
required |
title |
str |
Task's description. Default: None |
required |
description |
str |
Task's description. Default: None |
required |
status |
Enum |
Task's status: |
required |
flag |
bool |
Task's flag, |
required |
startDate |
datetime |
Task's start date, the date the task started at. Default: |
required |
owner |
str |
Task's assignee. Default: |
required |
json |
JSON |
If the field is not equal to None, the Task is instantiated using the JSON value instead of the arguements |
required |
CaseTaskLog
#
Model class describing a case task log as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Log's id. Default: None |
required |
message |
str |
Log's description. Default: None |
required |
file |
str |
Log attachment's path. If defined, the task log is created and the file is attached to it. Default: None |
required |
json |
JSON |
If the field is not equal to None, the Task is instantiated using the JSON value instead of the arguements |
required |
CaseTemplate
#
Model class describing a case template as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id |
str |
Template's id. Default: None |
required |
titlePrefix |
str |
Template's title prefix. Default: None |
required |
description |
str |
Template's description. Default: None |
required |
tlp |
Enum |
Template's TLP: |
required |
pap |
Enum |
Template's PAP: |
required |
severity |
Enum |
Template's severity: |
required |
flag |
bool |
Template's flag, |
required |
tags |
str[] |
List of template tags. Default: |
required |
metrics |
JSON |
Template metrics collection. A JSON object where keys are defining metric name, and values are defining metric value. Default: |
required |
customFields |
CustomField[] |
A set of CustomField instances, or the result of a CustomFieldHelper.build() method. Default: |
required |
tasks |
JSON[] / CaseTask[] |
Set of taks, defined either as JSON objects or CaseTask instances |
required |
json |
JSON |
If the field is not equal to None, the template is instantiated using the JSON value instead of the arguements |
required |
Warning
The metrics field is available in TheHive 3 only
CustomField
#
Model class describing a custom field as defined in TheHive
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
reference |
str |
internal reference name |
required |
description |
str |
description of the custom field |
required |
type |
Enum |
type of the field, possible values are |
required |
options |
Any[] |
list of possible values for the field |
required |
mandatory |
bool |
True if the field is mandatory |
required |
CustomFieldHelper
#
CustomFieldHelper
add_boolean(self, name, value)
#
Add a custom field of type bool.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
bool |
True or False, value of the custom field |
required |
add_date(self, name, value)
#
Add a custom field of type date.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
int |
number of milliseconds representing a timestamp (Example: int(time.time())*1000) |
required |
add_float(self, name, value)
#
Add a custom field of type float.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
float |
value of the custom field |
required |
Warning
This is method that work for TheHive 4 ONLY
add_integer(self, name, value)
#
Add a custom field of type integer.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
int |
value of the custom field |
required |
Warning
This is method that work for TheHive 4 ONLY
add_number(self, name, value)
#
Add a custom field of type number.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
number |
value of the custom field |
required |
Warning
This is method that work for TheHive 3 ONLY
add_string(self, name, value)
#
Add a custom field of type string.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name |
str |
name of the custom field |
required |
value |
str |
value of the custom field |
required |
build(self)
#
Builds the custom field value dict as expected by TheHive,
maintining the order of the fields, specified by order
Returns:
| Type | Description |
|---|---|
dict |
A json representation of the custom fields map |
CustomJsonEncoder
#
Custom JSON encoder class that takes into account thehive4py.models.JSONSerializable instances and
datetime.datetime objects
default(self, o)
#
Method to serialize thehive4py.models.JSONSerializable objects.
Used by thehive4py.models.JSONSerializable.jsonify method
JSONSerializable
#
Abstract class of all the models classes.
It defines utility methods called jsonify used to get a model object's JSON representation
jsonify(self, excludes=[])
#
A method that returns a stringyfied JSON representing a model object
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
excludes |
str[] |
list of fields to exclude from the returned JSON object. |
[] |
Returns:
| Type | Description |
|---|---|
str |
the JSON string of the object. |
Pap
#
Enumeration representing PAP, used in cases, observables and alerts (TheHive 4 only)
Possible values: WHITE, GREEN, AMBER, RED
Severity
#
Enumeration representing severity, used in cases and alerts
Possible values: LOW, MEDIUM, HIGH, CRITICAL
TaskStatus
#
Enumeration representing task statuses
Possible values: WAITING, INPROGRESS, COMPLETED, CANCEL
Tlp
#
Enumeration representing TLP, used in cases, observables and alerts
Possible values: WHITE, GREEN, AMBER, RED
Version
#
Enumeration representing a version used to specify the version of TheHive instance
Possible values: THEHIVE_3, THEHIVE_4