API Documentation

`Enrichment`

Handle enrichment requests for a specific observable (domain or IP address).

Parameters:

Name	Type	Description	Default
`request`		The incoming request object containing query parameters.	required

Returns:

Name	Type	Description
`Response`		A JSON response indicating whether the observable was found,
		and if so, the corresponding IOC.

Source code in docs/Submodules/GreedyBear/api/views/enrichment.py

@api_view([GET])
@authentication_classes([CookieTokenAuthentication])
@permission_classes([IsAuthenticated])
def enrichment_view(request):
    """
    Handle enrichment requests for a specific observable (domain or IP address).

    Args:
        request: The incoming request object containing query parameters.

    Returns:
        Response: A JSON response indicating whether the observable was found,
        and if so, the corresponding IOC.
    """
    observable_name = request.query_params.get("query")
    logger.info(f"Enrichment view requested for: {str(observable_name)}")
    serializer = EnrichmentSerializer(data=request.query_params, context={"request": request})
    serializer.is_valid(raise_exception=True)

    source_ip = str(request.META["REMOTE_ADDR"])
    request_source = Statistics(source=source_ip, view=viewType.ENRICHMENT_VIEW.value)
    request_source.save()

    return Response(serializer.data, status=status.HTTP_200_OK)

`Feeds`

Handle requests for IOC feeds with specific parameters and format the response accordingly.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required
`feed_type`	`str`	Type of feed (e.g., log4j, cowrie, etc.).	required
`attack_type`	`str`	Type of attack (e.g., all, specific attack types).	required
`prioritize`	`str`	Prioritization mechanism to use (e.g., recent, persistent).	required
`format_`	`str`	Desired format of the response (e.g., json, csv, txt).	required
`exclude_mass_scanners`	`bool`	query parameter flag to exclude IOCs that are known mass scanners.	required

Returns:

Name	Type	Description
`Response`		The HTTP response with formatted IOC data.

Source code in docs/Submodules/GreedyBear/api/views/feeds.py

@api_view([GET])
def feeds(request, feed_type, attack_type, prioritize, format_):
    """
    Handle requests for IOC feeds with specific parameters and format the response accordingly.

    Args:
        request: The incoming request object.
        feed_type (str): Type of feed (e.g., log4j, cowrie, etc.).
        attack_type (str): Type of attack (e.g., all, specific attack types).
        prioritize (str): Prioritization mechanism to use (e.g., recent, persistent).
        format_ (str): Desired format of the response (e.g., json, csv, txt).
        exclude_mass_scanners (bool): query parameter flag to exclude IOCs that are known mass scanners.

    Returns:
        Response: The HTTP response with formatted IOC data.
    """
    logger.info(f"request /api/feeds with params: feed type: {feed_type}, " f"attack_type: {attack_type}, prioritization: {prioritize}, format: {format_}")

    feed_params = FeedRequestParams({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
    feed_params.set_prioritization(prioritize)
    if request.query_params and "exclude_mass_scanners" in request.query_params:
        feed_params.exclude_mass_scanners()

    valid_feed_types = get_valid_feed_types()
    iocs_queryset = get_queryset(request, feed_params, valid_feed_types)
    return feeds_response(iocs_queryset, feed_params, valid_feed_types)

`Advanced Feeds`

Handle requests for IOC feeds based on query parameters and format the response accordingly.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required
`feed_type`	`str`	Type of feed to retrieve. (supported: `cowrie`, `log4j`, etc.; default: `all`)	required
`attack_type`	`str`	Type of attack to filter. (supported: `scanner`, `payload_request`, `all`; default: `all`)	required
`max_age`	`int`	Maximum number of days since last occurrence. E.g. an IOC that was last seen 4 days ago is excluded by default. (default: 3)	required
`min_days_seen`	`int`	Minimum number of days on which an IOC must have been seen. (default: 1)	required
`include_reputation`	`str`	`;`-separated list of reputation values to include, e.g. `known attacker` or `known attacker;` to include IOCs without reputation. (default: include all)	required
`exclude_reputation`	`str`	`;`-separated list of reputation values to exclude, e.g. `mass scanner` or `mass scanner;bot, crawler`. (default: exclude none)	required
`feed_size`	`int`	Number of IOC items to return. (default: 5000)	required
`ordering`	`str`	Field to order results by, with optional `-` prefix for descending. (default: `-last_seen`)	required
`verbose`	`bool`	`true` to include IOC properties that contain a lot of data, e.g. the list of days it was seen. (default: `false`)	required
`paginate`	`bool`	`true` to paginate results. This forces the json format. (default: `false`)	required
`format`	`str`	Response format type. Besides `json`, `txt` and `csv` are supported but the response will only contain IOC values (e.g. IP adresses) without further information. (default: `json`)	required

Returns:

Name	Type	Description
`Response`		The HTTP response with formatted IOC data.

Source code in docs/Submodules/GreedyBear/api/views/feeds.py

@api_view([GET])
@authentication_classes([CookieTokenAuthentication])
@permission_classes([IsAuthenticated])
def feeds_advanced(request):
    """
    Handle requests for IOC feeds based on query parameters and format the response accordingly.

    Args:
        request: The incoming request object.
        feed_type (str): Type of feed to retrieve. (supported: `cowrie`, `log4j`, etc.; default: `all`)
        attack_type (str): Type of attack to filter. (supported: `scanner`, `payload_request`, `all`; default: `all`)
        max_age (int): Maximum number of days since last occurrence. E.g. an IOC that was last seen 4 days ago is excluded by default. (default: 3)
        min_days_seen (int): Minimum number of days on which an IOC must have been seen. (default: 1)
        include_reputation (str): `;`-separated list of reputation values to include, e.g. `known attacker` or `known attacker;` to include IOCs without reputation. (default: include all)
        exclude_reputation (str): `;`-separated list of reputation values to exclude, e.g. `mass scanner` or `mass scanner;bot, crawler`. (default: exclude none)
        feed_size (int): Number of IOC items to return. (default: 5000)
        ordering (str): Field to order results by, with optional `-` prefix for descending. (default: `-last_seen`)
        verbose (bool): `true` to include IOC properties that contain a lot of data, e.g. the list of days it was seen. (default: `false`)
        paginate (bool): `true` to paginate results. This forces the json format. (default: `false`)
        format (str): Response format type. Besides `json`, `txt` and `csv` are supported but the response will only contain IOC values (e.g. IP adresses) without further information. (default: `json`)

    Returns:
        Response: The HTTP response with formatted IOC data.
    """
    logger.info(f"request /api/feeds/advanced/ with params: {request.query_params}")
    feed_params = FeedRequestParams(request.query_params)
    valid_feed_types = get_valid_feed_types()
    iocs_queryset = get_queryset(request, feed_params, valid_feed_types)
    verbose = feed_params.verbose == "true"
    paginate = feed_params.paginate == "true"
    if paginate:
        feed_params.format = "json"
        paginator = CustomPageNumberPagination()
        iocs = paginator.paginate_queryset(iocs_queryset, request)
        resp_data = feeds_response(iocs, feed_params, valid_feed_types, dict_only=True, verbose=verbose)
        return paginator.get_paginated_response(resp_data)
    return feeds_response(iocs_queryset, feed_params, valid_feed_types, verbose=verbose)

`Feeds Pagination`

Handle requests for paginated IOC feeds based on query parameters.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required

Returns:

Name	Type	Description
`Response`		The paginated HTTP response with IOC data.

Source code in docs/Submodules/GreedyBear/api/views/feeds.py

@api_view([GET])
def feeds_pagination(request):
    """
    Handle requests for paginated IOC feeds based on query parameters.

    Args:
        request: The incoming request object.

    Returns:
        Response: The paginated HTTP response with IOC data.
    """

    logger.info(f"request /api/feeds with params: {request.query_params}")

    feed_params = FeedRequestParams(request.query_params)
    feed_params.format = "json"
    feed_params.set_prioritization(request.query_params.get("prioritize"))
    if request.query_params and "exclude_mass_scanners" in request.query_params:
        feed_params.exclude_mass_scanners()

    valid_feed_types = get_valid_feed_types()
    iocs_queryset = get_queryset(request, feed_params, valid_feed_types)
    paginator = CustomPageNumberPagination()
    iocs = paginator.paginate_queryset(iocs_queryset, request)
    resp_data = feeds_response(iocs, feed_params, valid_feed_types, dict_only=True)
    return paginator.get_paginated_response(resp_data)

`Command Sequence`

View function that handles command sequence queries based on IP addresses or SHA-256 hashes.

Retrieves and returns command sequences and related IOCs based on the query parameter. If IP address is given, returns all command sequences executed from this IP. If SHA-256 hash is given, returns details about the specific command sequence. Can include similar command sequences if requested.

Parameters:

Name	Type	Description	Default
`request`		The HTTP request object containing query parameters	required
`query`	`str`	The search term, can be either an IP address or a SHA-256 hash.	required
`include_similar`	`bool`	When parameter is present, returns related command sequences based on clustering.	required

Returns:

Type	Description
	Response object with command sequence data or an error response

Raises:

Type	Description
`Http404`	If the requested resource is not found

Source code in docs/Submodules/GreedyBear/api/views/command_sequence.py

@api_view([GET])
@authentication_classes([CookieTokenAuthentication])
@permission_classes([IsAuthenticated])
def command_sequence_view(request):
    """
    View function that handles command sequence queries based on IP addresses or SHA-256 hashes.

    Retrieves and returns command sequences and related IOCs based on the query parameter.
    If IP address is given, returns all command sequences executed from this IP.
    If SHA-256 hash is given, returns details about the specific command sequence.
    Can include similar command sequences if requested.

    Args:
        request: The HTTP request object containing query parameters
        query (str): The search term, can be either an IP address or a SHA-256 hash.
        include_similar (bool): When parameter is present, returns related command sequences based on clustering.

    Returns:
        Response object with command sequence data or an error response

    Raises:
        Http404: If the requested resource is not found
    """
    observable = request.query_params.get("query")
    include_similar = request.query_params.get("include_similar") is not None
    logger.info(f"Command Sequence view requested by {request.user} for {observable}")
    source_ip = str(request.META["REMOTE_ADDR"])
    request_source = Statistics(source=source_ip, view=viewType.COMMAND_SEQUENCE_VIEW.value)
    request_source.save()

    if not observable:
        return HttpResponseBadRequest("Missing required 'query' parameter")

    if is_ip_address(observable):
        sessions = CowrieSession.objects.filter(source__name=observable, start_time__isnull=False, commands__isnull=False)
        sequences = set(s.commands for s in sessions)
        seqs = [
            {
                "time": s.start_time,
                "command_sequence": "\n".join(s.commands.commands),
                "command_sequence_hash": s.commands.commands_hash,
            }
            for s in sessions
        ]
        related_iocs = IOC.objects.filter(cowriesession__commands__in=sequences).distinct().only("name")
        if include_similar:
            related_clusters = set(s.cluster for s in sequences if s.cluster is not None)
            related_iocs = IOC.objects.filter(cowriesession__commands__cluster__in=related_clusters).distinct().only("name")
        if not seqs:
            raise Http404(f"No command sequences found for IP: {observable}")
        data = {
            "license": FEEDS_LICENSE,
            "executed_commands": seqs,
            "executed_by": sorted([ioc.name for ioc in related_iocs]),
        }
        return Response(data, status=status.HTTP_200_OK)

    if is_sha256hash(observable):
        try:
            seq = CommandSequence.objects.get(commands_hash=observable)
            seqs = CommandSequence.objects.filter(cluster=seq.cluster) if include_similar and seq.cluster is not None else [seq]
            commands = ["\n".join(seq.commands) for seq in seqs]
            sessions = CowrieSession.objects.filter(commands__in=seqs, start_time__isnull=False)
            iocs = [
                {
                    "time": s.start_time,
                    "ip": s.source.name,
                }
                for s in sessions
            ]
            data = {
                "license": FEEDS_LICENSE,
                "commands": commands,
                "iocs": sorted(iocs, key=lambda d: d["time"], reverse=True),
            }
            return Response(data, status=status.HTTP_200_OK)
        except CommandSequence.DoesNotExist as exc:
            raise Http404(f"No command sequences found with hash: {observable}") from exc

    return HttpResponseBadRequest("Query must be a valid IP address or SHA-256 hash")

`general_honeypot_list`

Retrieve a list of all general honeypots, optionally filtering by active status.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object containing query parameters.	required

Returns:

Name	Type	Description
`Response`		A JSON response containing the list of general honeypots.

Source code in docs/Submodules/GreedyBear/api/views/general_honeypot.py

@api_view([GET])
def general_honeypot_list(request):
    """
    Retrieve a list of all general honeypots, optionally filtering by active status.

    Args:
        request: The incoming request object containing query parameters.

    Returns:
        Response: A JSON response containing the list of general honeypots.
    """

    logger.info(f"Requested general honeypots list from {request.user}.")
    active = request.query_params.get("onlyActive")
    honeypots = []
    generalHoneypots = GeneralHoneypot.objects.all()
    if active == "true":
        generalHoneypots = generalHoneypots.filter(active=True)
        logger.info(f"Requested only active general honeypots from {request.user}")
    honeypots.extend([hp.name for hp in generalHoneypots])

    logger.info(f"General honeypots: {honeypots} given back to user {request.user}")
    return Response(honeypots)

`Statistics`

Bases: ViewSet

A viewset for viewing and editing statistics related to feeds and enrichment data.

Provides actions to retrieve statistics about the sources and downloads of feeds, as well as statistics on enrichment data.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

class StatisticsViewSet(viewsets.ViewSet):
    """
    A viewset for viewing and editing statistics related to feeds and enrichment data.

    Provides actions to retrieve statistics about the sources and downloads of feeds,
    as well as statistics on enrichment data.
    """

    @action(detail=True, methods=["GET"])
    def feeds(self, request, pk=None):
        """
        Retrieve feed statistics, including the number of sources and downloads.

        Args:
            request: The incoming request object.
            pk (str): The type of statistics to retrieve (e.g., "sources", "downloads").

        Returns:
            Response: A JSON response containing the requested statistics.
        """
        if pk == "sources":
            annotations = {
                "Sources": Count(
                    "source",
                    distinct=True,
                    filter=Q(view=viewType.FEEDS_VIEW.value),
                )
            }
        elif pk == "downloads":
            annotations = {"Downloads": Count("source", filter=Q(view=viewType.FEEDS_VIEW.value))}
        else:
            logger.error("this is impossible. check the code")
            return HttpResponseServerError()
        return self.__aggregation_response_static_statistics(annotations)

    @action(detail=True, methods=["get"])
    def enrichment(self, request, pk=None):
        """
        Retrieve enrichment statistics, including the number of sources and requests.

        Args:
            request: The incoming request object.
            pk (str): The type of statistics to retrieve (e.g., "sources", "requests").

        Returns:
            Response: A JSON response containing the requested statistics.
        """
        if pk == "sources":
            annotations = {
                "Sources": Count(
                    "source",
                    distinct=True,
                    filter=Q(view=viewType.ENRICHMENT_VIEW.value),
                )
            }
        elif pk == "requests":
            annotations = {"Requests": Count("source", filter=Q(view=viewType.ENRICHMENT_VIEW.value))}
        else:
            logger.error("this is impossible. check the code")
            return HttpResponseServerError()
        return self.__aggregation_response_static_statistics(annotations)

    @action(detail=False, methods=["get"])
    def feeds_types(self, request):
        """
        Retrieve statistics for different types of feeds, including Log4j, Cowrie,
        and general honeypots.

        Args:
            request: The incoming request object.

        Returns:
            Response: A JSON response containing the feed type statistics.
        """
        # FEEDS
        annotations = {
            "Log4j": Count("name", distinct=True, filter=Q(log4j=True)),
            "Cowrie": Count("name", distinct=True, filter=Q(cowrie=True)),
        }
        # feed_type for each general honeypot in the list
        generalHoneypots = GeneralHoneypot.objects.all().filter(active=True)
        for hp in generalHoneypots:
            annotations[hp.name] = Count("name", Q(general_honeypot__name__iexact=hp.name.lower()))
        return self.__aggregation_response_static_ioc(annotations)

    def __aggregation_response_static_statistics(self, annotations: dict) -> Response:
        """
        Helper method to generate statistics response based on annotations.

        Args:
            annotations (dict): Dictionary containing the annotations for the query.

        Returns:
            Response: A JSON response containing the aggregated statistics.
        """
        delta, basis = self.__parse_range(self.request)
        qs = Statistics.objects.filter(request_date__gte=delta).annotate(date=Trunc("request_date", basis)).values("date").annotate(**annotations)
        return Response(qs)

    def __aggregation_response_static_ioc(self, annotations: dict) -> Response:
        """
        Helper method to generate IOC response based on annotations.

        Args:
            annotations (dict): Dictionary containing the annotations for the query.

        Returns:
            Response: A JSON response containing the aggregated IOC data.
        """
        delta, basis = self.__parse_range(self.request)

        qs = (
            IOC.objects.filter(last_seen__gte=delta)
            .exclude(general_honeypot__active=False)
            .annotate(date=Trunc("last_seen", basis))
            .values("date")
            .annotate(**annotations)
        )
        return Response(qs)

    @staticmethod
    def __parse_range(request):
        """
        Parse the range parameter from the request query string to determine the time range for the query.

        Args:
            request: The incoming request object.

        Returns:
            tuple: A tuple containing the delta time and basis for the query range.
        """
        try:
            range_str = request.GET["range"]
        except KeyError:
            # default
            range_str = "7d"

        return parse_humanized_range(range_str)

`__aggregation_response_static_ioc(annotations)`

Helper method to generate IOC response based on annotations.

Parameters:

Name	Type	Description	Default
`annotations`	`dict`	Dictionary containing the annotations for the query.	required

Returns:

Name	Type	Description
`Response`	`Response`	A JSON response containing the aggregated IOC data.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

def __aggregation_response_static_ioc(self, annotations: dict) -> Response:
    """
    Helper method to generate IOC response based on annotations.

    Args:
        annotations (dict): Dictionary containing the annotations for the query.

    Returns:
        Response: A JSON response containing the aggregated IOC data.
    """
    delta, basis = self.__parse_range(self.request)

    qs = (
        IOC.objects.filter(last_seen__gte=delta)
        .exclude(general_honeypot__active=False)
        .annotate(date=Trunc("last_seen", basis))
        .values("date")
        .annotate(**annotations)
    )
    return Response(qs)

`__aggregation_response_static_statistics(annotations)`

Helper method to generate statistics response based on annotations.

Parameters:

Name	Type	Description	Default
`annotations`	`dict`	Dictionary containing the annotations for the query.	required

Returns:

Name	Type	Description
`Response`	`Response`	A JSON response containing the aggregated statistics.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

def __aggregation_response_static_statistics(self, annotations: dict) -> Response:
    """
    Helper method to generate statistics response based on annotations.

    Args:
        annotations (dict): Dictionary containing the annotations for the query.

    Returns:
        Response: A JSON response containing the aggregated statistics.
    """
    delta, basis = self.__parse_range(self.request)
    qs = Statistics.objects.filter(request_date__gte=delta).annotate(date=Trunc("request_date", basis)).values("date").annotate(**annotations)
    return Response(qs)

`__parse_range(request)` `staticmethod`

Parse the range parameter from the request query string to determine the time range for the query.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required

Returns:

Name	Type	Description
`tuple`		A tuple containing the delta time and basis for the query range.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

@staticmethod
def __parse_range(request):
    """
    Parse the range parameter from the request query string to determine the time range for the query.

    Args:
        request: The incoming request object.

    Returns:
        tuple: A tuple containing the delta time and basis for the query range.
    """
    try:
        range_str = request.GET["range"]
    except KeyError:
        # default
        range_str = "7d"

    return parse_humanized_range(range_str)

`enrichment(request, pk=None)`

Retrieve enrichment statistics, including the number of sources and requests.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required
`pk`	`str`	The type of statistics to retrieve (e.g., "sources", "requests").	`None`

Returns:

Name	Type	Description
`Response`		A JSON response containing the requested statistics.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

@action(detail=True, methods=["get"])
def enrichment(self, request, pk=None):
    """
    Retrieve enrichment statistics, including the number of sources and requests.

    Args:
        request: The incoming request object.
        pk (str): The type of statistics to retrieve (e.g., "sources", "requests").

    Returns:
        Response: A JSON response containing the requested statistics.
    """
    if pk == "sources":
        annotations = {
            "Sources": Count(
                "source",
                distinct=True,
                filter=Q(view=viewType.ENRICHMENT_VIEW.value),
            )
        }
    elif pk == "requests":
        annotations = {"Requests": Count("source", filter=Q(view=viewType.ENRICHMENT_VIEW.value))}
    else:
        logger.error("this is impossible. check the code")
        return HttpResponseServerError()
    return self.__aggregation_response_static_statistics(annotations)

`feeds(request, pk=None)`

Retrieve feed statistics, including the number of sources and downloads.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required
`pk`	`str`	The type of statistics to retrieve (e.g., "sources", "downloads").	`None`

Returns:

Name	Type	Description
`Response`		A JSON response containing the requested statistics.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

@action(detail=True, methods=["GET"])
def feeds(self, request, pk=None):
    """
    Retrieve feed statistics, including the number of sources and downloads.

    Args:
        request: The incoming request object.
        pk (str): The type of statistics to retrieve (e.g., "sources", "downloads").

    Returns:
        Response: A JSON response containing the requested statistics.
    """
    if pk == "sources":
        annotations = {
            "Sources": Count(
                "source",
                distinct=True,
                filter=Q(view=viewType.FEEDS_VIEW.value),
            )
        }
    elif pk == "downloads":
        annotations = {"Downloads": Count("source", filter=Q(view=viewType.FEEDS_VIEW.value))}
    else:
        logger.error("this is impossible. check the code")
        return HttpResponseServerError()
    return self.__aggregation_response_static_statistics(annotations)

`feeds_types(request)`

Retrieve statistics for different types of feeds, including Log4j, Cowrie, and general honeypots.

Parameters:

Name	Type	Description	Default
`request`		The incoming request object.	required

Returns:

Name	Type	Description
`Response`		A JSON response containing the feed type statistics.

Source code in docs/Submodules/GreedyBear/api/views/statistics.py

@action(detail=False, methods=["get"])
def feeds_types(self, request):
    """
    Retrieve statistics for different types of feeds, including Log4j, Cowrie,
    and general honeypots.

    Args:
        request: The incoming request object.

    Returns:
        Response: A JSON response containing the feed type statistics.
    """
    # FEEDS
    annotations = {
        "Log4j": Count("name", distinct=True, filter=Q(log4j=True)),
        "Cowrie": Count("name", distinct=True, filter=Q(cowrie=True)),
    }
    # feed_type for each general honeypot in the list
    generalHoneypots = GeneralHoneypot.objects.all().filter(active=True)
    for hp in generalHoneypots:
        annotations[hp.name] = Count("name", Q(general_honeypot__name__iexact=hp.name.lower()))
    return self.__aggregation_response_static_ioc(annotations)

API Documentation

Enrichment

Feeds

Advanced Feeds

Feeds Pagination

Command Sequence

general_honeypot_list

Statistics

__aggregation_response_static_ioc(annotations)

__aggregation_response_static_statistics(annotations)

__parse_range(request) staticmethod

enrichment(request, pk=None)

feeds(request, pk=None)

feeds_types(request)

`Enrichment`

`Feeds`

`Advanced Feeds`

`Feeds Pagination`

`Command Sequence`

`general_honeypot_list`

`Statistics`

`__aggregation_response_static_ioc(annotations)`

`__aggregation_response_static_statistics(annotations)`

`__parse_range(request)` `staticmethod`

`enrichment(request, pk=None)`

`feeds(request, pk=None)`

`feeds_types(request)`