Canary API Docs

# Actions

These are a collection of endpoints that allow you to interact with incidents.

Endpoints
POST /api/v1/incident/acknowledge
DELETE /api/v1/incident/delete
GET /api/v1/incident/fetch
POST /api/v1/incident/unacknowledge
POST /api/v1/incidents/acknowledge
DELETE /api/v1/incidents/delete
POST /api/v1/incidents/unacknowledge

# Acknowledge Incident

POST /api/v1/incident/acknowledge

Acknowledge a specified incident.

Required Parameters

auth_token string
A valid auth token
incident string
A valid incident key

Response

JSON structure with result indicator.

Example

curl https://EXAMPLE.canary.tools/api/v1/incident/acknowledge \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d incident=EXAMPLE_INCIDENT_KEY

  
        Copied!
1
2
3
Response
{
  "action": "acknowledged",
  "key": "<incident_key>",
  "result": "success"
}

  
        Copied!
1
2
3
4
5

# Delete Incident

DELETE /api/v1/incident/delete

Deletes a specified incident.

Required Parameters

auth_token string
A valid auth token
incident string
A valid incident key

Response

JSON structure with result indicator.

Example

curl -X DELETE https://EXAMPLE.canary.tools/api/v1/incident/delete \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d incident=EXAMPLE_INCIDENT_KEY

  
        Copied!
1
2
3
Response
{
  "action": "deleted",
  "key": "<incident_key>",
  "result": "success"
}

  
        Copied!
1
2
3
4
5

# Fetch Incident

GET /api/v1/incident/fetch

Retrieve a specified incident.

Required Parameters

auth_token string
A valid auth token

Optional Parameters

incident string
A valid incident key
hash_id string
A valid incident hash
extended_details boolean
Return all incident fields
tz string
Timezone for standardised timestamps (fields that end in "_std"). Use the pytz names to specify the timezone

TIP

Either incident or hash_id is required.

Response

JSON structure containing the specified incident.

Example

curl https://EXAMPLE.canary.tools/api/v1/incident/fetch \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d incident=EXAMPLE_INCIDENT_KEY \
  -G

  
        Copied!
1
2
3
4
Response
{
  "incident": {
    "acknowledged": "False",
    "created": "1586260854",
    "created_std": "2020-04-07 12:00:54 UTC+0000",
    "description": "Telnet Login Attempt",
    "dst_host": "<destination_ip>",
    "dst_port": "23",
    "events": [
      {
        "PASSWORD": "<password>",
        "TERMSIZE": "91x44",
        "TERMTYPE": "XTERM-256COLOR",
        "USERNAME": "<username>",
        "timestamp": 1586260854,
        "timestamp_std": "2020-04-07 12:00:54 UTC+0000"
      },
    ],
    "events_count": "3",
    "id": "<incident_key>",
    "ip_address": "",
    "ippers": "",
    "local_time": "2020-04-07 12:00:53",
    "logtype": "6001",
    "mac_address": "",
    "node_id": "<node_id>",
    "notified": "False",
    "src_host": "<source_ip>",
    "src_host_reverse": "<source_hostname>",
    "src_port": "54968"
  },
  "result": "success"
}

  
        Copied!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# Unacknowledge Incident

POST /api/v1/incident/unacknowledge

Unacknowledge a specified incident.

Required Parameters

auth_token string
A valid auth token
incident string
A valid incident key

Response

JSON structure with result indicator.

Example

curl https://EXAMPLE.canary.tools/api/v1/incident/unacknowledge \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d incident=EXAMPLE_INCIDENT_KEY

  
        Copied!
1
2
3
Response
{
  "action": "unacknowledged",
  "key": "<incident_key>",
  "result": "success"
}

  
        Copied!
1
2
3
4
5

# Acknowledge Multiple Incidents

POST /api/v1/incidents/acknowledge

Acknowledge multiple incidents.

Required Parameters

auth_token string
A valid auth token

Optional Parameters

flock_id string
Acknowledge incidents for a specific flock
node_id string
Acknowledge incidents associated with a valid Canary or Canarytoken node_id (cannot be used in conjunction with src_host)
src_host string
Acknowledge incidents for a specific source IP address (cannot be used in conjunction with node_id)
older_than string
Acknowledge incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be acknowledged. This string will attempt to match against incident details such as Source IP, Canary Name, Token Name, NodeID and Reverse IP Lookup.
filter_logtypes string
The logtype of the incidents to be acknowledged

TIP

At least one of the optional parameters is required.

Response

JSON structure with result indicator.

Example

curl https://EXAMPLE.canary.tools/api/v1/incidents/acknowledge \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d node_id=EXAMPLE_NODE_ID

  
        Copied!
1
2
3
Response
{
  "action": "acknowledged",
  "keys": [
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>"
  ],
  "result": "success"
}

  
        Copied!
1
2
3
4
5
6
7
8
9
10
11
12
13

# Delete Multiple Incidents

DELETE /api/v1/incidents/delete

Delete multiple acknowledged incidents.

Required Parameters

auth_token string
A valid auth token

Optional Parameters

flock_id string
Delete incidents for a specific flock
node_id string
Delete incidents associated with a valid Canary or Canarytoken node_id (cannot be used in conjunction with src_host)
src_host string
Delete incidents for a specific source IP address (cannot be used in conjunction with src_host)
older_than string
Delete incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be deleted. This string will attempt to match against incident details such
filter_logtypes string
The logtype of the incidents to be deleted
include_unacknowledged boolean
Include unacknowledged incidents when deleting

TIP

At least one of the optional parameters is required.

Response

JSON structure with result indicator.

Example

curl -X DELETE https://EXAMPLE.canary.tools/api/v1/incidents/delete \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d node_id=EXAMPLE_NODE_ID

  
        Copied!
1
2
3
Response
{
  "action": "deleted",
  "keys": [
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>"
  ],
  "result": "success"
}

  
        Copied!
1
2
3
4
5
6
7
8
9
10

# Unacknowledge Multiple Incidents

POST /api/v1/incidents/unacknowledge

Unacknowledge multiple incidents.

Required Parameters

auth_token string
A valid auth token

Optional Parameters

flock_id string
Unacknowledge incidents for a specific flock
node_id string
Unacknowledge incidents associated with a valid Canary or Canarytoken node_id (cannot be used in conjunction with src_host)
src_host string
Unacknowledge incidents for a specific source IP address (cannot be used in conjunction with src_host)
older_than string
Unacknowledge incidents older than the provided period. Periods are "[quantity][unit]", where "[unit]" is one of 'h', 'd', 'w' (hours, days or weeks) e.g. 1h or 1d or 1w
filter_str string
The string used when searching for incidents to be unacknowledged. This string will attempt to match against incident details such
filter_logtypes string
The logtype of the incidents to be unacknowledged

TIP

At least one of the optional parameters is required.

Response

JSON structure with result indicator.

Example

curl https://EXAMPLE.canary.tools/api/v1/incidents/unacknowledge \
  -d auth_token=EXAMPLE_AUTH_TOKEN \
  -d node_id=EXAMPLE_NODE_ID

  
        Copied!
1
2
3
Response
{
  "action": "unacknowledged",
  "keys": [
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>",
    "<incident_key>"
  ],
  "result": "success"
}

  
        Copied!
1
2
3
4
5
6
7
8
9
10
11
12
13

Queries