Skip to content

docs(GreedyBear): document tags in API responses, tag-based filtering, and enrichment config. Related to intelowlproject/GreedyBear#899 #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
opbot-xd wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(GreedyBear): document tags in API responses, tag-based filtering, and enrichment config. Related to intelowlproject/GreedyBear#899 #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/GreedyBear/Installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ To receive messages about errors occurring at the instance, it is also recommend
- `DEFAULT_SLACK_CHANNEL`: ID of the Slack channel you want to post the message to
- `NTFY_URL`: URL of a ntfy topic to receive error alerts

### Enrichment Configuration
To enable fetching of data from third-party services like AbuseIPDB and ThreatFox to enrich IOCs, you may need to configure specific API keys:

- `ABUSEIPDB_API_KEY`: API key for validating IPs against AbuseIPDB and annotating them with an `abuse_confidence_score` and country data.
- `THREATFOX_API_KEY`: API key for fetching the latest IOCs from ThreatFox.

## Start the Application

```bash
Expand Down
26 changes: 13 additions & 13 deletions docs/GreedyBear/Usage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ The available prioritization mechanisms are:

The available formats are:

- `txt`: plain text (just one line for each IOC)
- `csv`: CSV-like file (just one line for each IOC)
- `json`: JSON file with additional information regarding the IOCs
- `txt`: plain text (just one line for each IOC, tags are not included)
- `csv`: CSV-like file (just one line for each IOC, tags are not included)
- `json`: JSON file with additional information regarding the IOCs (including tags when available)

The available flags are:

Expand All @@ -44,20 +44,19 @@ The `json` result includes two predictive scores:
- `recurrence_probability` (0.0-1.0): Indicates the likelihood that an IOC will reappear within the next 24 hours. Higher values suggest greater persistence of the threat.
- `expected_interactions` (0+): Estimates the number of honeypot interactions anticipated from the IOC in the next 24 hours, indicating potential activity level.

The response includes a new field:

_Available from version >= 3.2.0_
These predictions are based on historical interaction patterns and are updated once a day, shortly after midnight UTC. They are the foundation of the `likely_to_recur` and `most_expected_hits` prioritization mechanisms.

- `attacker_country`: The country associated with the attacking IP address.
Additional fields available in the response:

These predictions are based on historical interaction patterns and are updated once a day, shortly after midnight UTC. They are the foundation of the `likely_to_recur` and `most_expected_hits` prioritization mechanisms.
- `attacker_country` _(from version >= 3.2.0)_: The country associated with the attacking IP address.
- `tags` _(from version >= 3.3.0)_: A list of tags attached to the IOC, each containing `key`, `value`, and `source`. (Only included when `format=json`).

Check the [API specification](https://intelowlproject.github.io/docs/GreedyBear/Api-docs/#docs.Submodules.GreedyBear.api.views.feeds.feeds_advanced) or the to get all the details about how to use the available APIs.

## Advanced Feeds API
_Available from version >= 1.4.0_

For authenticated users, GreedyBear offers an additional API endpoint that provides similar functionality to the Feeds API but with enhanced customization options.
For authenticated users, GreedyBear offers an additional API endpoint that provides similar functionality to the Feeds API but with enhanced customization options like filtering by tags.
```
https://<greedybear_site>/api/feeds/advanced/?<query_params>
```
Expand All @@ -75,12 +74,13 @@ The available query parameters are:
- `verbose`: `true` to include IOC properties that contain a lot of data, e.g. the list of days it was seen. (default: `false`)
- `paginate`: `true` to paginate results. This forces the json format. (default: `false`)
- `format_`: see [Feeds API](#feeds) (default: `json`)
- `tag_key`: Filter by a specific tag key (e.g., `abuse_confidence_score`). _(from version >= 3.3.0)_
- `tag_value`: Filter by a specific tag value (e.g., `100`). Works best in combination with `tag_key`. _(from version >= 3.3.0)_

The response includes a new field:

_Available from version >= 3.2.0_
Additional fields available in the response:

- `attacker_country`: The country associated with the attacking IP address.
- `attacker_country` _(from version >= 3.2.0)_: The country associated with the attacking IP address.
- `tags` _(from version >= 3.3.0)_: A list of tags attached to the IOC, each containing `key`, `value`, and `source`. (Only included when `format=json`).

Check the [API specification](https://intelowlproject.github.io/docs/GreedyBear/Api-docs/) or the to get all the details about how to use the available APIs.

Expand Down