API_v0 - csirtgadgets/csirtg GitHub Wiki
Overview
This describes the resources that make up the CSIRTG API. If you have any problems or requests please log an issue
Limits
Feeds
Private
Users can create 1 private feed
Public
Users can create up to 10 public feeds
Indicators
Users can create up to a total of 250,000 indicators across all feeds globally.
API Rate Limiting
Authenticated you can make up to 5000 requests per day.
X-Ratelimit-Limit: 5000
X-Ratelimit-Remaining: 4999
X-Ratelimit-Period: day
Current SDKs
The current SDKs can be found here.
Current Version
By default, all requests receive the v0 of the API. We encourage you to explicitly request this version via the Accept header.
Accept: application/vnd.csirtg.v0
Authorization
$ curl -H "Accept: application/vnd.csirtg.v0" -H "Authorization: Token token=646cc6d029998c702f1a377260e5f6a0" https://csirtg.io/api
Schema
All data is sent and received as JSON.
Blank fields are can be included as 'null' or omitted.
Root Endpoint
The root endpoint for the API is /api.
$ curl https://csirtg.io/api
{
"current_user_url": "https://csirtg.io/api/users/:user",
"user_feeds_url": "https://csirtg.io/api/users/:user/feeds",
"user_feed_url": "https://csirtg.io/api/users/:user/feeds/:feed"
}
Parameters
Many API methods take optional parameters.
| Name | Type | Limit | Description |
|---|---|---|---|
| application | string | 255 characters | Comma separated list of one word tags |
| attachment | dict | { 'data': [base64], 'filename': filename} | |
| description | string | 255 characters | String |
| firsttime | datetime | Format: YYYY-MM-DDTHH:MM:SSZ | |
| lasttime | datetime | Format: YYYY-MM-DDTHH:MM:SSZ or Integer (ie: 3 for "greater than or equal to 3 days ago") | |
| portlist | string | 255 characters | Hyphenated or comma separated list of destination ports |
| portlist_src | string | 255 characters | Hyphenated or comma separated list of source ports |
| protocol | integer | 6 or 17 | |
| tags | string | 255 characters | Comma separated list of one word tags |
| thing | string | 255 characters | (ipv4, ipv6, fqdn, url, email) |
For GET requests, any parameters not specified as a segment in the path can be passed as an HTTP query string parameter:
$ curl -H ... -i "https://csirtg.io/api/search?q=example.com&limit=5"
For POST/PUT requests, parameters not included in the URL should be encoded as JSON with a Content-Type of ‘application/json’:
$ curl -XPOST -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds/zeus/indicators -d '{"indicator": { "thing": "badsite.com" }, "tags": ["zeus","bot"], "comment": "this will pwn you!" }'
Search
$ curl https://csirtg.io/api/search?q=example.com
[
{
"indicator": {
"id": 50242,
"thing": "example.com",
"portlist": null,
"lasttime": null,
"created_at": "2015-02-20 14:13:09 UTC",
"updated_at": "2015-02-20 14:13:09 UTC",
"comments": [
{
"comment": {
"text": "test",
"updated_at": "2015-02-20 14:13:09 UTC",
"user_id": "wes"
}
}
],
"feed_id": "zeus",
"user_id": "wes",
"tags": [
"zeus",
"bot"
]
}
}
]
Feeds
List Feeds
$ curl https://csirtg.io/api/users/wes/feeds
[
{
"feed": {
"name": "zeus",
"description": null,
"created_at": "2015-02-20 14:11:48 UTC",
"updated_at": "2015-02-20 14:11:48 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
}
}
}
]
Get Feed
$ curl https://csirtg.io/api/users/wes/feeds/scanners
{
"feed": {
"name": "scanners",
"description": "test",
"updated_at": "2015-02-23 15:29:06 UTC",
"created_at": "2015-02-23 15:29:06 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"indicators": [
{
"indicator": {
"id": 50340,
"thing": "1.2.3.4",
"portlist": "22",
"lasttime": "2015-02-28 14:22:00 UTC",
"created_at": "2015-02-28 14:22:30 UTC",
"updated_at": "2015-02-28 14:22:30 UTC",
"comments": [
],
"tags": [
"scanners",
"ssh"
]
}
}
],
"user": "wes"
}
}
Create Feed
$ curl -XPOST -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds -d '{"feed": { "name": "spyeye", "description": "spyeye bad" } }'
{
"feed": {
"name": "spyeye",
"description": "bad",
"updated_at": "2015-02-28 14:33:57 UTC",
"created_at": "2015-02-28 14:33:57 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"indicators": [
],
"user": "wes"
}
}
Indicators
Create
$ curl -XPOST -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds/zeus/indicators -d '{"indicator": { "thing": "badsite.com" }, "tags": ["zeus","bot"], "comment": "this will pwn you!" }'
{
"indicator": {
"id": 50347,
"thing": "badsite.com",
"portlist": null,
"protocol": null,
"lasttime": null,
"created_at": "2015-02-28 14:40:39 UTC",
"updated_at": "2015-02-28 14:40:39 UTC",
"comments": [
{
"comment": {
"text": "this will pwn you!",
"created_at": "2015-02-28 14:40:39 UTC",
"user": "wes"
}
}
],
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"tags": [
"spyeye",
"bot"
],
"feed": "spyeye",
"user": "wes",
"location": "https://csirtg.io/api/users/wes/feeds/spyeye/indicators/50347"
}
}