Responder#
You need to connect TheHive to a cortex server in order to enable responders.
Attention
Responder can only be run on an observable of a case.
Run a responder on an observable#
POST /api/connector/cortex/action
Request example#
{
"cortexId": "Stable",
"responderId": "e4c500d589d14503883c02d02313cf57",
"objectType": "case_artifact",
"objectId": "~816984288"
}
The following fields are required:
cortexId
: name of the cortex server from the configurationobjectType
: should becase_artifact
hereobjectId
: id of the observable to analyzeresponderId
: id of the cortex responder to use
Responseexample#
{
"responderId": "e4c500d589d14503883c02d02313cf57",
"responderName": "ADD_TO_WEBPROXY_BL_1_0",
"responderDefinition": "ADD_TO_WEBPROXY_BL_1_0",
"cortexId": "Stable",
"cortexJobId": "Bv0cq3sB8Pn57ilsUkFM",
"objectType": "Observable",
"objectId": "~816984288",
"status": "Waiting",
"startDate": 1630663366136,
"operations": "[]",
"report": "{}"
}
List responder actions#
GET /api/connector/cortex/action/case_artifact/{observableId}
Responseexample#
Example
[
{
"responderId": "e4c500d589d14503883c02d02313cf57",
"responderName": "ADD_TO_WEBPROXY_BL_1_0",
"responderDefinition": "ADD_TO_WEBPROXY_BL_1_0",
"cortexId": "Stable",
"cortexJobId": "Bv0cq3sB8Pn57ilsUkFM",
"objectType": "Observable",
"objectId": "~816984288",
"status": "Failure",
"startDate": 1630663366136,
"endDate": 1630663372393,
"operations": "[]",
"report": "{\"summary\":{\"taxonomies\":[]},\"full\":null,\"success\":false,\"artifacts\":[],\"operations\":[],...}"
}
]
-
status
can be one of:Waiting
Success
InProgress
Failure
Deleted
-
report
is a string that contains the output of the responder
Last update:
October 13, 2023 07:01:35