API Guide#

This guide applies only to Cortex 2 and newer. It is not applicable to Cortex 1.

Table of Contents#

Introduction
- Request & Response Formats
- Authentication
Organization APIs
User APIs
Job APIs
Analyzer APIs
- Analyzer Model
- Enable
- List and Search
- Get Details
- Get By Type
- Update
- Run
- Disable
Miscellaneous APIs
- Paging and Sorting

Introduction#

Cortex 2 offers a REST API that can be leveraged by various applications and programs to interact with it. The following guide describe the Cortex 2 API to allow developers to interface the powerful observable analysis engine with other SIRPs (Security Incident Response Platforms) besides TheHive, TIPs (Threat Intelligence Platforms), SIEMs or scripts. Please note that the Web UI of Cortex 2 exclusively leverage the REST API to interact with the back-end.

Note: You can use Cortex4py, the Python library we provide, to facilitate interaction with the REST API of Cortex. You need Cortex4py 2.0.0 or later as earlier versions are not compatible with Cortex 2.

All the exposed APIs share the same request & response formats and authentication strategies as described below.

There are also some transverse parameters supported by several calls, in addition to utility APIs.

If you want to create an analyzer, please read the How to Write and Submit an Analyzer guide.

Request & Response Formats#

Cortex accepts several parameter formats within a HTTP request. They can be used indifferently. Input data can be:

A query string
A URL-encoded form
A multi-part
JSON

Hence, the requests shown below are equivalent.

Query String#

curl -XPOST 'https://CORTEX_APP_URL:9001/api/login?user=me&password=secret'

URL-encoded Form#

curl -XPOST 'https://CORTEX_APP_URL:9001/api/login' -d user=me -d password=secret

JSON#

curl -XPOST https://CORTEX_APP_URL:9001/api/login -H 'Content-Type: application/json' -d '{
  "user": "me",
  "password": "secret"
}'

Multi-part#

curl -XPOST https://CORTEX_APP_URL:9001/api/login -F '_json=<-;type=application/json' << _EOF_
{
  "user": "me",
  "password": "secret"
}
_EOF_

Response Format#

For each request submitted, Cortex will respond back with JSON data. For example, if the authentication request is successful, Cortex should return the following output:

{"id":"me","name":"me","roles":["read","analyze","orgadmin"]}

If not, Cortex should return an authentication error:

{"type":"AuthenticationError","message":"Authentication failure"}

Authentication#

Most API calls require authentication. Credentials can be provided using a session cookie, an API key or directly using HTTP basic authentication (if this method is specifically enabled).

Session cookies are better suited for browser authentication. Hence, we recommend authenticating with API keys when calling the Cortex APIs.

Generating API Keys with an orgAdmin Account#

API keys can be generated using the Web UI. To do so, connect using an orgAdmin account then click on Organization and then on the Create API Key button in the row corresponding to the user you intend to use for API authentication. Once the API key has been created, click on Reveal to display the API key then click on the copy to clipboard button if you wish to copy the key to your system's clipboard.

If the user is not yet created, start by clicking on Add user to create it then follow the steps mentioned above.

Generating API Keys with a superAdmin Account#

You can use a superAdmin account to achieve the same result as described above. Once authenticated, click on Users then on the Create API Key button in the row corresponding to the user you intend to use for API authentication. Please make sure the user is in the right organization by thoroughly reading its name, which is shown below the user name. Once the API key has been created, click on Reveal to display the API key then click on the copy to clipboard button if you wish to copy the key to your system's clipboard.

Authenticating with an API Key#

Once you have generated an API key you can use it, for example, to list the Cortex jobs thanks to the following curl command:

# Using API key
curl -H 'Authorization: Bearer **API_KEY**' https://CORTEX_APP_URL:9001/api/job

As you can see in the example above, we instructed curl to add the Authorization header to the request. The value of the header is Bearer: **API_KEY**. So if your API key is GPX20GUAQWwpqnhA6JpOwNGPMfWuxsX3, the curl command above would look like the following:

# Using API key
curl -H 'Authorization: Bearer GPX20GUAQWwpqnhA6JpOwNGPMfWuxsX3' https://CORTEX_APP_URL:9001/api/job

Using Basic Authentication#

Cortex also supports basic authentication but it is disabled by default for security reasons. If you absolutely need to use it, you can enable it by adding auth.method.basic=true to the configuration file (/etc/cortex/application.conf by default). Once you do, restart the Cortex service. You can then, for example, list the Cortex jobs using the following curl command:

# Using basic authentication
curl -u mylogin:mypassword https://CORTEX_APP_URL:9001/api/job

Organization APIs#

Cortex offers a set of APIs to create, update and list organizations.

Organization Model#

An organization (org) is defined by the following attributes:

Attribute	Description	Type
`id`	Copy of the org's name (see next row)	readonly
`name`	Name	readonly
`status`	Status (`Active` or `Locked`)	writable
`description`	Description	writable
`createdAt`	Creation date	computed
`createdBy`	User who created the org	computed
`updatedAt`	Last update	computed
`updatedBy`	User who last updated the org	computed

Please note that id and name are essentially the same. Also, createdAt and updatedAt are in epoch.

List#

It is possible to list all the organizations using the following API call, which requires the API key associated with a superAdmin account:

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization'

You can also search/filter organizations using the following query:

curl -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/organization/_search' -d '{
  "query": {"status": "Active"}
}'

Both APIs supports the range and sort query parameters described in paging and sorting details.

Create#

It is possible to create an organization using the following API call, which requires the API key associated with a superAdmin account:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/organization' -d '{
  "name": "demo",
  "description": "Demo organization",
  "status": "Active"
}'

Update#

You can update an organization's description and status (Active or Locked) using the following API call. This requires the API key associated with a superAdmin account:

curl -XPATCH -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID' -d '{
  "description": "New Demo organization",
}'

or

curl -XPATCH -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID' -d '{
  "status": "Active",
}'

Delete#

Deleting an organization just marks it as Locked and doesn't remove the associated data from the DB. To "delete" an organization, you can use the API call shown below. It requires the API key associated with a superAdmin account.

curl -XDELETE -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID'

Obtain Details#

This API call returns the details of an organization as described in the Organization model section.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID'

Let's assume that the organization we are seeking to obtain details about is called demo. The curl command would be:

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization/demo'

and it should return:

{
  "id": "demo",
  "name": "demo",
  "status": "Active",
  "description": "Demo organization",
  "createdAt": 1520258040437,
  "createdBy": "superadmin",
  "updatedBy": "superadmin",
  "updatedAt": 1522077420693
}

List Users#

As mentioned above, you can use the API to return the list of all the users declared withing an organization. For that purpose, use the API call shown below with the API key of an orgAdmin or superAdmin account. It supports the range and sort query parameters declared in paging and sorting details.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID/user'

and should return a list of users.

If one wants to filter/search for some users (active ones for example), there is a search API to use as below:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/organization/ORG_ID/user/_search' -d '{
  "query": {}
}'

It also supports the range and sort query parameters declared in paging and sorting details.

List Enabled Analyzers#

To list the analyzers that have been enabled within an organization, use the following API call with the API key of an orgAdmin user:

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/analyzer'

It should return a list of Analyzers.

Please note that this API call does not display analyzers that are disabled. It supports the range and sort query parameters declared in paging and sorting details.

User APIs#

The following section describes the APIs that allow creating, updating and listing users within an organization.

User Model#

A user is defined by the following attributes:

Attribute	Description	Type
`id`	ID/login	readonly
`name`	Name	writable
`roles`	Roles. Possible values are: `read`, `read,analyze`, `read,analyze,orgadmin` and `superadmin`	writable
`status`	Status (`Active` or `Locked`)	writable
`organization`	organization to which the user belongs (set upon account creation)	readonly
`createdAt`	Creation date	computed
`createdBy`	User who created the account	computed
`updatedAt`	Last update date	computed
`updatedBy`	User who last updated the account	computed
`hasKey`	true when the user has an API key	computed
`hasPassword`	true if the user has a password	computed

List All#

This API call allows a superAdmin to list and search all the users of all defined organizations:

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/user'

This call supports the range and sort query parameters declared in paging and sorting details.

List Users within an Organization#

This call is described in organization APIs.

Search#

This API call allows a superAdmin to perform search on the user accounts created in a Cortex instance:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/user/_search' -d '{
  "query": {}
}'

This call supports the range and sort query parameters declared in paging and sorting details

Create#

This API calls allows you to programmatically create user creation. If the call is made by a superAdmin user, the request must specify the organization to which the user belong in the organization field.

If the call is made by an orgAdmin user, the value of organization field must be the same as the user who makes the call: orgAdmin users are allowed to create users only in their organization.

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/user' -d '{
  "name": "Demo org Admin",
  "roles": [
    "read",
    "analyze",
    "orgadmin"
  ],
  "organization": "demo",
  "login": "demo"
}'

If successful, the call returns a JSON object representing the created user as described above.

{
  "id": "demo",
  "organization": "demo",
  "name": "Demo org Admin",
  "roles": [
    "read",
    "analyze",
    "orgadmin"
  ],
  "status": "Ok",
  "createdAt": 1526050123286,
  "createdBy": "superadmin",
  "hasKey": false,
  "hasPassword": false
}

Update#

This API call allows updating the writable attributed of a user account. It's available to users with superAdmin or orgAdmin roles. Any user can also use it to update their own information (but obviously not their roles).

curl -XPATCH -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN' -d '{
  "name": "John Doe",
  "roles": [
    "read",
    "analyze"
  ],
  "status": "Locked"
}'

It returns a JSON object representing the updated user as described above.

Get Details#

This call returns the user details. It's available to users with superAdmin roles and to users in the same organization. Every user can also use it to read their own details.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN'

It returns a JSON object representing the user as described previously.

Set a Password#

This call sets the user's password. It's available to users with superAdmin or orgAdmin roles. Please note that the request needs to be made using HTTPS with a valid certificate on the server's end to prevent credential sniffing or other PITM (Person-In-The-Middle) attacks.

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN/password/set' -d '{
  "password": "SOMEPASSWORD"
}'

If successful, the call returns 204 (success / no content).

Change a password#

This call allows a given user to change only their own existing password. It is available to all users including superAdmin and orgAdmin ones. Please note that if a superAdmin or an orgAdmin needs to update the password of another user, they must use the /password/set call described in the previous subsection.

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN/password/change' -d '{
  "currentPassword": "password",
  "password": "new-password"
}'

If successful, the call returns 204 (success / no content).

Set and Renew an API Key#

This calls allows setting and renewing the API key of a user. It's available to users with superAdmin or orgAdmin roles. Any user can also use it to renew their own API key. Again, the request needs to be made using HTTPS with a valid certificate on the server's end to prevent credential sniffing or other PITM (Person-In-The-Middle) attacks. You know the drill ;-)

curl -XPOST -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN/key/renew'

If successful, it returns the generated API key in a text/plainresponse.

Get an API Key#

This calls allows getting a user's API key. It's available to users with superAdmin or orgAdmin roles. Any user can also use it to obtain their own API key.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN/key'

If successful, the generated API key is returned in text/plainresponse

Revoke an API Key#

This calls allow revoking a user's API key. This calls allow revoking a user's API key.

curl -XDELETE -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/user/USER_LOGIN/key'

A successful request returns nothing (HTTP 200 OK).

Job APIs#

The following section describes the APIs that allow manipulating jobs. Jobs are basically submissions made to analyzers and the resulting reports.

Job Model#

A job is defined by the following attributes:

Attribute	Description	Type
`id`	Job ID	computed
`organization`	The organization to which the job belongs	readonly
`analyzerDefinitionId`	Analyzer definition name	readonly
`analyzerId`	Instance ID of the analyzer to which the job is associated	readonly
`organization`	Organization to which the user belongs (set upon account creation)	readonly
`analyzerName`	Name of the analyzer to which the job is associated	readonly
`dataType`	the datatype of the analyzed observable	readonly
`status`	Status of the job (`Waiting`, `InProgress`, `Success`, `Failure`, `Deleted`)	computed
`data`	Value of the analyzed observable (does not apply to `file` observables)	readonly
`attachment`	JSON object representing `file` observables (does not apply to non-`file` observables). It defines the`name`, `hashes`, `size`, `contentType` and `id` of the `file` observable	readonly
`parameters`	JSON object of key/value pairs set during job creation	readonly
`message`	A free text field to set additional text/context for a job	readonly
`tlp`	The TLP of the analyzed observable	readonly
`startDate`	Start date	computed
`endDate`	End date	computed
`createdAt`	Creation date. Please note that a job can be requested but not immediately honored. The actual time at which it is started is the value of `startDate`	computed
`createdBy`	User who created the job	computed
`updatedAt`	Last update date (only Cortex updates a job when it finishes)	computed
`updatedBy`	User who submitted the job and which identity is used by Cortex to update the job once it is finished	computed

List and Search#

This call allows a user with read,analyze or orgAdmin role to list and search all the analysis jobs made by their organization.

If you want to list all the jobs:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/_search?range=all'

If you want to list 10 jobs:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/_search'

If you want to list 100 jobs:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/_search?range=0-100'

If you want to search jobs according to various criteria:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/job/_search' -d '{
  "query": {
    "_and": [
      {"status": "Success"},
      {"dataType": "ip"}
    ]
  }
}'

This call supports the range and sort query parameters declared in paging and sorting details

Get Details#

This call allows a user with read,analyze or orgAdmin role to get the details of a job. It does not fetch the job report.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/JOB_ID'

It returns a JSON response with the following structure:

{
  "id": "AWNei4vH3rJ8unegCPB9",
  "analyzerDefinitionId": "Abuse_Finder_2_0",
  "analyzerId": "220483fde9608c580fb6a2508ff3d2d3",
  "analyzerName": "Abuse_Finder_2_0",
  "status": "Success",
  "data": "8.8.8.8",
  "parameters": "{}",
  "tlp": 0,
  "message": "",
  "dataType": "ip",
  "organization": "demo",
  "startDate": 1526299593923,
  "endDate": 1526299597064,
  "date": 1526299593633,
  "createdAt": 1526299593633,
  "createdBy": "demo",
  "updatedAt": 1526299597066,
  "updatedBy": "demo"
}

Get Details and Report#

This call allows a user with read,analyze or orgAdmin role to get the details of a job including its report.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/JOB_ID/report'

It returns a JSON response with the structure below. If the job is not yet completed, the report field contains a string representing the job status:

{
  "id": "AWNei4vH3rJ8unegCPB9",
  "analyzerDefinitionId": "Abuse_Finder_2_0",
  "analyzerId": "220483fde9608c580fb6a2508ff3d2d3",
  "analyzerName": "Abuse_Finder_2_0",
  "status": "Success",
  "data": "8.8.8.8",
  "parameters": "{}",
  "tlp": 0,
  "message": "",
  "dataType": "ip",
  "organization": "demo",
  "startDate": 1526299593923,
  "endDate": 1526299597064,
  "date": 1526299593633,
  "createdAt": 1526299593633,
  "createdBy": "demo",
  "updatedAt": 1526299597066,
  "updatedBy": "demo",
  "report": {
    "summary": {
      "taxonomies": [
        {
          "predicate": "Address",
          "namespace": "Abuse_Finder",
          "value": "[email protected]",
          "level": "info"
        }
      ]
    },
    "full": {
      "abuse_finder": {
        "raw": "...",
        "abuse": [
          "[email protected]"
        ],
        "names": [
          "Google LLC",
          "Level 3 Parent, LLC"
        ],
        "value": "8.8.8.8"
      }
    },
    "success": true,
    "artifacts": []
  }
}

Wait and Get Job Report#

This call is similar the one described above but allows the user to provide a timeout to wait for the report in case it is not available at the time the query was made:

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/JOB_ID/waitreport?atMost=1minute'

The atMost is a duration using the format Xhour, Xminute or Xsecond.

Get Artifacts#

This call allows a user with read,analyze or orgAdmin role to get the extracted artifacts from a job if such extraction has been enabled in the corresponding analyzer configuration. Please note that extraction is imperfect and you might have inconsistent or incorrect data.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/JOB_ID/artifacts'

It returns a JSON array with the following structure:

[
  {
    "dataType": "ip",
    "createdBy": "demo",
    "data": "8.8.8.8",
    "tlp": 0,
    "createdAt": 1525432900553,
    "id": "AWMq4tvLjidKq_asiwcl"
  }
]

Delete#

This API allows a user with analyze or orgAdmin role to delete a job:

curl -XDELETE -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/job/JOB_ID'

This marks the job as Deleted. However the job's data is not removed from the database.

Analyzer APIs#

The following section describes the APIs that allow manipulating analyzers.

Analyzer Model#

An analyzer is defined by the following attributes:

Attribute	Description	Type
`id`	Analyzer ID once enabled within an organization	readonly
`analyzerDefinitionId`	Analyzer definition name	readonly
`name`	Name of the analyzer	readonly
`version`	Version of the analyzer	readonly
`description`	Description of the analyzer	readonly
`author`	Author of the analyzer	readonly
`url`	URL where the analyzer has been published	readonly
`license`	License of the analyzer	readonly
`dataTypeList`	Allowed datatypes	readonly
`baseConfig`	Base configuration name. This identifies the shared set of configuration with all the analyzer's flavors	readonly
`jobCache`	Report cache timeout in minutes, visible for `orgAdmin` users only	writable
`rate`	Numeric amount of analyzer calls authorized for the specified `rateUnit`, visible for `orgAdmin` users only	writable
`rateUnit`	Period of availability of the rate limite: `Day` or `Month`, visible for `orgAdmin` users only	writable
`configuration`	A JSON object where key/value pairs represent the config names, and their values. It includes the default properties `proxy_http`, `proxy_https`, `auto_extract_artifacts`, `check_tlp`, and `max_tlp`, visible for `orgAdmin` users only	writable
`createdBy`	User who enabled the analyzer	computed
`updatedAt`	Last update date	computed
`updatedBy`	User who last updated the analyzer	computed

Enable#

This call allows a user with an orgAdmin role to enable an analyzer.

curl -XPOST -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/organization/analyzer/:analyzerId' -d '{
  "name": "Censys_1_0",
  "configuration": {
    "uid": "XXXX",
    "key": "XXXXXXXXXXXXXXXXXXXX",
    "proxy_http": "http://proxy:9999",
    "proxy_https": "http://proxy:9999",
    "auto_extract_artifacts": false,
    "check_tlp": true,
    "max_tlp": 2
  },
  "rate": 1000,
  "rateUnit": "Day",
  "jobCache": 5
}'

List and Search#

These calls allow a user with a analyze or orgAdmin role to list and search all the enabled analyzers within the organization.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/analyzer'

or

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/analyzer/_search' -d '{
  "query": {}
}'

Both calls supports the range and sort query parameters declared in paging and sorting details, and both return a JSON array of analyzer objects as described in Analyzer Model section.

If called by a user with only an nalyzer role, the configuration attribute is not included on the JSON objects.

Get Details#

This call allows a user with a analyze or orgAdmin role to get an analyzer's details.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID'

It returns a analyzer JSON object as described in Analyzer Model section.

If called by a user with only an nalyzer role, the configuration attribute is not included on the JSON objects.

Get By Type#

This call is mostly used by TheHive and allows to quickly get the list of analyzers that can run on the given datatype. It requires an analyze or orgAdmin role.

curl -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/analyzer/type/DATA_TYPE'

It returns a JSON array of analyzer objects as described in Analyzer Model section without the configuration attribute, which could contain sensitive data.

Update#

This call allows an orgAdmin user to update the name, configuration and jobCache of an enabled analyzer.

curl -XPATCH -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID' -d '{
  "configuration": {
    "key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "polling_interval": 60,
    "proxy_http": "http://localhost:8080",
    "proxy_https": "http://localhost:8080",
    "auto_extract_artifacts": true,
    "check_tlp": true,
    "max_tlp": 1
  },
  "name": "Shodan_Host_1_0",
  "rate": 1000,
  "rateUnit": "Day",
  "jobCache": null
}'

It returns a JSON object describing the analyzer as defined in Analyzer Model section.

Run#

This API allows a user with a analyze or orgAdmin role to run analyzers on observables of different datatypes.

For file observables, the API call must be made as described below:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID/run' \
  -F 'attachment=@/path/to/observable-file' \
  -F '_json=<-;type=application/json' << _EOF_
  {
    "dataType":"file",
    "tlp":0
  }
_EOF_

for all the other types of observerables, the request is:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID/run' -d '{
  "data":"8.8.8.8",
  "dataType":"ip",
  "tlp":0,
  "message": "A message that can be accessed from the analyzer",
  "parameters": {
    "key1": "value1",
    "key2": "value2"
  }
}'

This call will fetch a similar job from the cache, and if it finds one, it returns it from the cache, based on the duration defined in jobCache attribute of the analyzer.

To force bypassing the cache, one can add the following query parameter: force=1

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID/run?force=1' -d '{
  "data":"8.8.8.8",
  "dataType":"ip",
  "tlp":0,
  "message": "A message that can be accessed from the analyzer",
  "parameters": {
    "key1": "value1",
    "key2": "value2"
  }
}'

Disable#

This API allows an orgAdmin to disable an existing analyzer in their organization and delete the corresponding configuration.

curl -XDELETE -H 'Authorization: Bearer **API_KEY**' 'https://CORTEX_APP_URL:9001/api/analyzer/ANALYZER_ID'

Miscellaneous APIs#

Paging and Sorting#

All the search API calls allow sorting and paging parameters, in addition to a query in the request's body. These calls usually have URLs ending with the _search keyword but that's not always the case.

The followings are query parameters:

range: all or x-y where x and y are numbers (ex: 0-10).
sort: you can provide multiple sort criteria such as: -createdAt or +status.

Example:

curl -XPOST -H 'Authorization: Bearer **API_KEY**' -H 'Content-Type: application/json' 'http://CORTEX_APP_URL:9001/api/organization/ORG_ID/user?range=0-10&sort=-createdAt&sort=+status' -d '{
  "query": {}
}'

Last update: September 5, 2022 12:21:12