API Documentation
OpenAPI 3.0
API Documentation
OpenAPI 3.0
The openapi documentation was generated thanks to apigit
openapi.json
{
"openapi": "3.0.2",
"info": {
"title": "OneFirewall Alliance - OpenAPI 3.0",
"description": "The API documentation site serves as a comprehensive resource for developers looking to utilize the OneFirewall Platform's application programming interface (API). It offers in-depth information on API endpoints, parameters, responses, and authentication processes. Additionally, it features practical examples and code snippets to assist developers in integrating the API into their own applications. The website is crafted to be user-friendly, intuitive, and easily navigable, enabling developers to swiftly locate the necessary information to begin working with the API.",
"termsOfService": "https://onefirewall.com/privacy-policy.html",
"contact": {
"email": "[email protected]",
"url": "https://onefirewall.com",
"name": "Engineering Division"
},
"license": {
"name": "",
"url": ""
},
"version": "V4"
},
"externalDocs": {
"description": "http://docs.onefirewall.com",
"url": "http://app.onefirewall.com"
},
"servers": [
{
"url": "https://app.onefirewall.com/api/v1",
"description": "OneFirewall Server",
"variables": {}
}
],
"tags": [
{
"name": "IPv4 Feeds",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "IoCs",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "Tools",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "URL Feeds",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "Domain Feeds",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "Security Binary Feeds",
"description": "",
"externalDocs": {
"description": "",
"url": ""
}
},
{
"name": "Secure VPN",
"description": "Secure VPN by OneFirewall",
"externalDocs": {
"description": "",
"url": ""
}
}
],
"paths": {
"/stix2/{stix2id}": {
"get": {
"summary": "STIX2.0",
"description": "STIX2 (Structured Threat Information eXpression version 2) is a standardized language for representing cyber threat intelligence (CTI) that enables the sharing of threat intelligence across organizations and security tools. It is important to Threat Intel because it allows security professionals to more easily and effectively analyze and respond to cyber threats, improving their overall threat intelligence capabilities.\nAt OneFirewall, our mission is to deliver a trustworthy and effective cybersecurity platform that safeguards against cyber attacks. To accomplish this goal, we leverage STIX2 structured information to proactively identify and block malicious actors. We also empower our users with access to this critical threat intelligence data, enabling them to enhance their own cybersecurity defenses.",
"operationId": "stix2",
"tags": [
"IoCs"
],
"parameters": [],
"responses": {
"200": {
"description": "The response body contains an array of STIX2 objects, for simplicy we not going to explain in details the content format, however we are using Standard STIX2 bundles, and more information can be found here: STIX™ Version 2.0",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "string"
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "stix2id",
"description": "Threat Actor ID (IPv4, URL, Domain, File), at the moment we only provide information based on IPv4",
"schema": {
"type": "string"
},
"required": true
}
]
},
"/version": {
"get": {
"summary": "Health Check",
"description": "The \\`/version\\` API endpoint is primarily used to verify the operational status of the API service. When accessed, it responds with basic information indicating the current version of the API, along with a confirmation that the service is active and available. This endpoint typically does not require authentication and serves as a straightforward health check to ensure that the API is up and running correctly.",
"tags": [
"Tools"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"version": "2024-03-14",
"is_master": "true",
"application": "OneFirewall WCF Server (V4)",
"ofa_instance": "CLOUD",
"hostname": "onefirewall-server-74f84cb45c-5zgs2",
"m": 0,
"e": ""
}
}
}
}
}
}
},
"operationId": "version"
}
},
"/file_types": {
"get": {
"summary": "File types",
"description": "OneFirewall revertive each file flagged as malware and associates it with a specific file type (when possible), or more precisely, a MIME type. Currently, OneFirewall only accepts file types from a predetermined list provided by this API.",
"operationId": "file_types",
"tags": [
"Tools"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": [
{
"name": "application/x-krita",
"description": "KRA is the file format for Krita, a raster graphics editor. It is a ZIP archive containing a number of files, including the image data, the layer structure, and the document settings.<br /><br />It is similar in function to PSD files for photoshop.<br /><br />A .krz file is a compressed version of a .kra file and only missing the mergedimage.png contained within it to save storage. The lack of this file can affect interchange with other applications such as Scribus.",
"types": [
".kra",
".krz"
],
"alternatives": [],
"furtherReading": [
{
"title": "Krita File Format",
"url": "https://docs.krita.org/en/general_concepts/file_formats/file_kra.html"
}
]
}
]
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/files/{digest}": {
"get": {
"summary": "Files",
"description": "",
"operationId": "Search by Digest",
"tags": [
"Security Binary Feeds"
],
"parameters": [
{
"in": "query",
"name": "deep_scan",
"description": "YES or NO (Defualt). A Deep Scan is perfromed accross 4 million IoCs if the Digest is not presented into the main OneFirewall Data Lake",
"schema": {
"type": "string",
"default": "NO",
"enum": [
"YES",
"NO"
]
}
}
],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"md5": "947F536E12836C13CFC73638B796471D",
"sha1": "F478B6E4653C4620AF43841CC1F0227BC79F3ADB",
"sha256": "1AE54CBDE48D74B3312771FCDB51E672CD0D60F737FA5FE09F9C83597B8A3B5F",
"score": 96,
"ts": 1693519331,
"file_bytes": null,
"total_reports": 47,
"total_members": 1,
"file_type": "application/x-executable",
"file_name": "947f536e12836c13cfc73638b796471d",
"tags": [
"n/a",
"elf",
"Gafgyt"
],
"elk_ts": "2023-08-31T22:02:11.000Z",
"elk_entry_ts": "2023-08-30T00:03:23.000Z",
"entry_ts": 1693353803
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "digest",
"description": "Digest value in any format from MD5,SHA1,SHA256",
"schema": {
"type": "string"
},
"required": true
}
],
"put": {
"summary": "Overwrite Decision",
"description": "",
"operationId": "Overwrite Decision",
"tags": [
"Security Binary Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"decision": {
"type": "string",
"description": "0 for whitelist, 1 for blacklist, -1 (default) for based on score (not overwrite)"
}
},
"required": [
"decision"
]
}
}
}
},
"responses": {
"200": {
"description": "The request was received and processed successfully, no body content",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/files/score/{min_score}": {
"get": {
"summary": "Files by Score",
"description": "",
"operationId": "Retrieve a list of malicious files by digest type",
"tags": [
"Security Binary Feeds"
],
"parameters": [
{
"in": "query",
"name": "format",
"description": "CSV=the output is CSV, LIST=the output is a list of digest separated by ‘,’",
"schema": {
"type": "string",
"default": "CSV",
"enum": [
"CSV",
"LIST"
]
}
},
{
"in": "query",
"name": "page",
"description": "A cursor that indicates the next page ID to access the next batch of data",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "digest",
"description": "SHA256,SHA1 or MD5 (String)\t",
"schema": {
"type": "string",
"enum": [
"SHA256",
"SHA1",
"MD5"
]
},
"required": true
}
],
"responses": {
"200": {
"description": "If the response header contains a variable with name next_page, use the value with the new request on the API in order to retreive the next batch of data for the same Score. If the header is not presented, means there no more data to return.\n\n",
"headers": {},
"content": {
"text/html": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "E285554419641DFF5D76400773422172E364B53AE22C412D92EAA98A28CAE5F0\nA73E7A36715AD8A067EDD3B455ADA4AE88D5F973FB627F996FF6FD0BEC820B6E\n..."
}
}
}
}
},
"400": {
"content": {},
"headers": {},
"description": "The request was malformed (body contains further explanations)"
},
"402": {
"description": "Not enough OneFirewall Coins to perform the request",
"content": {},
"headers": {}
},
"403": {
"description": "The request not authorized (body contains further explanations)",
"content": {},
"headers": {}
},
"404": {
"description": "The requested digest was not found",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "min_score",
"description": "Minimum WCF Crime Score Feeds",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"exclusiveMaximum": true,
"minimum": 1,
"maximum": 1000
},
"required": true
}
]
},
"/files": {
"get": {
"summary": "Files by TS",
"description": "",
"operationId": "Retrieve the latest malicious files recorded",
"tags": [
"Security Binary Feeds"
],
"parameters": [
{
"in": "query",
"name": "ts",
"description": "Latest updates starting from this timestamp",
"schema": {
"type": "number"
},
"required": true
},
{
"in": "query",
"name": "page_size",
"description": "Maximum size to return",
"schema": {
"type": "number",
"default": 101,
"exclusiveMinimum": true,
"minimum": 100,
"exclusiveMaximum": true,
"maximum": 2000
},
"required": false
},
{
"in": "query",
"name": "min_score",
"description": "Filter based on minimum score",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"minimum": 0,
"exclusiveMaximum": true,
"maximum": 1000,
"default": 1
}
},
{
"in": "query",
"name": "file_type",
"description": "Filter based on file type",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "file_name",
"description": "Filter based on file name",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "tags\t",
"description": "Array of strings separated by ‘,’ to return documents that contain at least one of the tags provided (default none)",
"schema": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 0,
"maxItems": 100,
"uniqueItems": true
}
}
],
"responses": {
"200": {
"description": "The request was received and processed successfully",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"header": {
"type": "Malware",
"version": 4,
"ts": 1693519200,
"next_ts": 1693519490,
"page_size": 100,
"user": {
"guid": "OFA-GUID-YORP-4193-FDFM",
"name": "NAME",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-dsfgdsfgfdj",
"name": "Org1",
"trust": 0.85,
"delay": "0",
"credit_tokens": 2000000000,
"debit_tokens": 1888915
}
}
},
"body": [
{
"md5": "B3A5311FB0E11953EBD765D4231776EE",
"sha1": "EE727E0FFE780EC24609B9FCCA8512ADE671E2D5",
"sha256": "15678297D3D6DA1D77C9B5C7B479F5C3C922D739C42CA00641F3D3587A829970",
"score": 96,
"ts": 1693519331,
"file_bytes": null,
"total_reports": 47,
"total_members": 1,
"file_type": "application/x-executable",
"file_name": "b3a5311fb0e11953ebd765d4231776ee",
"tags": [
"n/a",
"elf"
],
"elk_ts": "2023-08-31T22:02:11.000Z",
"elk_entry_ts": "2023-08-30T00:03:23.000Z",
"entry_ts": 1693353803
},
{
"md5": "947F536E12836C13CFC73638B796471D",
"sha1": "F478B6E4653C4620AF43841CC1F0227BC79F3ADB",
"sha256": "1AE54CBDE48D74B3312771FCDB51E672CD0D60F737FA5FE09F9C83597B8A3B5F",
"score": 96,
"ts": 1693519331,
"file_bytes": null,
"total_reports": 47,
"total_members": 1,
"file_type": "application/x-executable",
"file_name": "947f536e12836c13cfc73638b796471d",
"tags": [
"n/a",
"elf",
"Gafgyt"
],
"elk_ts": "2023-08-31T22:02:11.000Z",
"elk_entry_ts": "2023-08-30T00:03:23.000Z",
"entry_ts": 1693353803
},
{
"md5": "9D6980C593C635DE0E0A37224272924D",
"sha1": "2EEA6F42D295AC7CEEB7FF079B99ADBB698C321F",
"sha256": "DE895366E2FB48A164C45082928A4AF3D08969A5218F8B9581455635F7922876",
"score": 96,
"ts": 1693519331,
"file_bytes": null,
"total_reports": 47,
"total_members": 1,
"file_type": "application/x-executable",
"file_name": "9d6980c593c635de0e0a37224272924d",
"tags": [
"n/a",
"elf"
],
"elk_ts": "2023-08-31T22:02:11.000Z",
"elk_entry_ts": "2023-08-30T00:03:23.000Z",
"entry_ts": 1693353803
}
]
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"post": {
"summary": "Report Digest",
"description": "",
"operationId": "Report files suspected of containing a type of malware",
"tags": [
"Security Binary Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"confidence": {
"type": "number",
"description": "Confidence from 0.0 to 1.0",
"default": 1
},
"tags": {
"type": "array",
"items": {
"type": "string"
}
},
"file_bytes": {
"type": "string"
},
"file_type": {
"type": "string"
},
"file_name": {
"type": "string"
},
"md5": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
}
},
"required": [
"confidence",
"file_type"
]
}
}
}
},
"responses": {
"200": {
"description": "The request was received and processed successfully, no body content\n",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": []
},
"/flat/{min_score}": {
"get": {
"summary": "Pre-compiled IPv4",
"description": "If you need a simple list (example CSV) to retrieve all the IPv4 feeds based on their score, you can use the below API",
"operationId": "Pre-compiled CSV of IPv4 based on Min Score",
"tags": [
"IPv4 Feeds"
],
"parameters": [
{
"in": "query",
"name": "list",
"description": "NO=the output is CSV, YES=the output is a list of IPs separated by ‘,’",
"schema": {
"type": "string",
"enum": [
"YES",
"NO"
],
"default": "NO"
}
}
],
"responses": {
"200": {
"description": "In case of an 200 response the body will be presented as the below examples:\n\n",
"headers": {},
"content": {
"text/html": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "IPv4,LiveScore,Members,Reports,LastUpdate,AS,ASN,CDN,Reverse,IS_CDN\nX.Y.Z.W,216,3,21,2023-04-29T04:43:54.000Z,<ASXXXX>,<Autonomous System Name>,<CDN Name>,<reverse DNS query>,<'Well-known CDN' in case of Valid CDN>\nX.Y.Z.W,211,3,45,2023-04-28T09:21:50.000Z,<ASXXXX>,<Autonomous System Name>,<CDN Name>,<reverse DNS query>,<'Well-known CDN' in case of Valid CDN>\nX.Y.Z.W,217,3,32,2023-04-29T05:54:04.000Z,<ASXXXX>,<Autonomous System Name>,<CDN Name>,<reverse DNS query>,<'Well-known CDN' in case of Valid CDN>\nX.Y.Z.W,204,3,53,2023-04-29T04:58:13.000Z,<ASXXXX>,<Autonomous System Name>,<CDN Name>,<reverse DNS query>,<'Well-known CDN' in case of Valid CDN>\n....."
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "min_score",
"description": "",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"minimum": 1,
"exclusiveMaximum": true,
"maximum": 1000
},
"required": true
}
]
},
"/ipv4/{min_score}": {
"get": {
"summary": "Live IPv4",
"description": "This API is similar with the `IP addresses [FLAT]` however have some advantages and disadvantages in respect:\n\n##### Advantages\n\n1. Real time calculation of the OneFirewall Crime Score\n2. Equipped with the new (v3.2) Scoring algorithm\n3. Can be integrated into directly Fortigate, Checkpoint, etc..\n\n##### Disadvantages\n\n1. Use pagination (therefore you have to call multiple times the IP if the list is bigger than 10000)\n2. Is relatively 6x slower than `IP addresses [FLAT]`",
"operationId": "",
"tags": [
"IPv4 Feeds"
],
"parameters": [
{
"in": "query",
"name": "format",
"description": "CSV=the output is CSV, LIST=the output is a list of IPs separated by ‘,’",
"schema": {
"type": "string",
"enum": [
"CSV",
"LIST"
]
}
},
{
"in": "query",
"name": "agid",
"description": "Agent ID",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "plugin",
"description": "Plugin Name",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "page",
"description": "A cursor that indicates the next page ID to access the next batch of data",
"schema": {
"type": "string"
}
}
],
"responses": {
"200": {
"description": "If the response header contains a variable with name next_page, use the value with the new request on the API in order to retreive the next batch of data for the same Score. If the header is not presented, means there no more data to return.\n\n",
"headers": {},
"content": {
"text/html": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "X.Y.Z.W\nX.Y.Z.W\nX.Y.Z.W\nX.Y.Z.W\n....."
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "min_score",
"description": "Minimum WCF Crime Score Feeds",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"minimum": 0,
"exclusiveMaximum": true,
"maximum": 1001
},
"required": true
}
]
},
"/info/{ipv4}": {
"get": {
"summary": "IP Metadata",
"description": "You can call the API `/api/v1/info/<IPv4>` in order to receive GeoIP information for the IPv4. This API is useful when you want to verify public data in regards to the GeoIP of any IPv4",
"operationId": "IP Metadata",
"tags": [
"Tools"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"status": "success",
"continent": "North America",
"continentCode": "NA",
"country": "United States",
"countryCode": "US",
"region": "VA",
"regionName": "Virginia",
"city": "Ashburn",
"district": "",
"zip": "20149",
"lat": 39.03,
"lon": -77.5,
"timezone": "America/New_York",
"offset": -14400,
"currency": "USD",
"isp": "Google LLC",
"org": "Google Public DNS",
"as": "AS15169 Google LLC",
"asname": "GOOGLE",
"reverse": "dns.google",
"mobile": false,
"proxy": false,
"hosting": true,
"query": "8.8.8.8"
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "ipv4",
"description": "Single IPv4",
"schema": {
"type": "string"
},
"required": true
}
]
},
"/info/domain/{domain_name}": {
"get": {
"summary": "Reverse Domain",
"description": "You can call the API `/api/v1/info/domain/<domani_name>` in order to receive an array IPs resolved for the Domain name.",
"operationId": "Reverse Domain",
"tags": [
"Tools"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": [
"172.67.129.97",
"104.21.2.162"
]
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "domain_name",
"description": "Any valid Domain name",
"schema": {
"type": "string"
},
"required": true
}
]
},
"/info/cdn/list": {
"get": {
"summary": "List of CDNs",
"description": "To retrieve a list of well-known Content Delivery Network (CDN) providers along with their respective edge IP addresses, you can utilize the `/api/v1/info/cdn/list` endpoint. The data provided by this API is generally static, yet the R&D team at OneFirewall periodically updates it. It’s worth noting that CDN providers frequently acquire new IP addresses, making it impossible to guarantee that the following list is exhaustive at any given moment.",
"operationId": "List of CDNs",
"tags": [
"Tools"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "[\n {\n \"name\": \"<CDN NAME>\",\n \"addresses\": [\n \"<single ip>\",\n \"<CIDR>\"\n \n ]\n },\n \n]"
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/ips": {
"get": {
"summary": "Latest IPv4",
"description": "You can call the API `/api/v1/ips` in order to receive an array of the latest IPv4 feeds collected at the OneFirewall Data lake.",
"operationId": "Latest IPv4",
"tags": [
"IPv4 Feeds"
],
"parameters": [
{
"in": "query",
"name": "page_size",
"description": "The maximum size of the array to retrieve",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"minimum": 0,
"exclusiveMaximum": true,
"maximum": 1001,
"default": 50
},
"required": false
},
{
"in": "query",
"name": "ts",
"description": "Timestamp from when to retreive data",
"schema": {
"type": "integer",
"exclusiveMinimum": true,
"minimum": -1
},
"required": false
},
{
"in": "query",
"name": "full",
"description": "full=yes provide more information",
"schema": {
"type": "string",
"enum": [
"yes",
"no"
],
"default": "no"
}
}
],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"header": {
"type": "IPv4",
"version": 2,
"ts": "1684014988",
"page_size": 1,
"delay": 0,
"eval": "return (scoreTimeZero) / (1 + Math.exp( (3/(scoreTimeZero)) * ((current_time/3600) - (2.5 * scoreTimeZero))))",
"exec_python": "score = (scoreTimeZero) / (1 + numpy.exp( (3/(scoreTimeZero)) * ((current_time/3600) - (2.5 * scoreTimeZero))))",
"user": {
"guid": "OFA-GUID-XXXX-XXXX-XXXX",
"name": "Your name",
"surname": "Your surname",
"username": "Your email",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-XXXXXXX",
"name": "Organisation name",
"trust": 0.9,
"delay": "0"
}
}
},
"body": [
{
"gid": "OFA-RULE-GID-XXXXXX",
"ip": "XXX.YYY.ZZZ.WWW",
"ts": 1684015144,
"entry_ts": 1683928684,
"is_network": false,
"ip_info": {
"as_domain": "cloudflare.com",
"as_name": "Cloudflare, Inc.",
"asn": "AS13335",
"continent": "NA",
"continent_name": "North America",
"country": "US",
"country_name": "United States"
},
"score": 34,
"info": {
"members": 1,
"events": 1,
"sources": [
"sshlog"
],
"stix_bundles": [],
"attack_infos": [],
"notes": [
"May 12 23:47:55 OFA-SRV2 sshd[12317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.YYY.ZZZ.WWW user=root"
]
},
"elk_ts": "2023-05-13T21:59:04.000Z",
"elk_entry_ts": "2023-05-12T21:58:04.000Z",
"delay": 0,
"dec": 8.3e-7
}
]
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"post": {
"summary": "Report IPv4",
"description": "Post information about threat intelligence in relation to a IPv4",
"operationId": "Report IPv4",
"tags": [
"IPv4 Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"ip": {
"type": "string",
"description": "An IPv4 format for single IP or Network"
},
"confidence": {
"type": "number",
"description": "A confidence value 0.0 to 1.0. A percentace of confidence on the the actor being malicious"
},
"notes": {
"type": "string",
"description": "Notes associated to the actor "
},
"decision": {
"type": "number",
"default": -1,
"exclusiveMinimum": true,
"minimum": -2,
"exclusiveMaximum": true,
"maximum": 2,
"description": "-1==no decision (default), 0==whitelist, 1==Block"
},
"ttl": {
"type": "number",
"description": "Until when the decision is valid (Timestamp in the future)"
},
"source": {
"type": "string",
"description": "The source from where the actor was identified"
}
},
"required": [
"ip",
"confidence",
"source"
]
}
}
}
},
"responses": {
"200": {
"description": "",
"content": {},
"headers": {}
},
"201": {
"description": "",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/ips/{ipv4}": {
"get": {
"summary": "One IPv4",
"description": "You can call the API `/api/v1/ips/<IPv4>` in order to receive information for the IPv4 feeds in request if is presented at the OneFirewall Data lake. This API is useful when you want to verify if OneFirewall have an information for the actor in request.",
"operationId": "One IPv4",
"tags": [
"IPv4 Feeds"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"header": {
"type": "IPv4",
"version": 2,
"ts": "1684014988",
"page_size": 1,
"delay": 0,
"eval": "return (scoreTimeZero) / (1 + Math.exp( (3/(scoreTimeZero)) * ((current_time/3600) - (2.5 * scoreTimeZero))))",
"exec_python": "score = (scoreTimeZero) / (1 + numpy.exp( (3/(scoreTimeZero)) * ((current_time/3600) - (2.5 * scoreTimeZero))))",
"user": {
"guid": "OFA-GUID-XXXX-XXXX-XXXX",
"name": "Your name",
"surname": "Your surname",
"username": "Your email",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-XXXXXXX",
"name": "Organisation name",
"trust": 0.9,
"delay": "0"
}
}
},
"body": [
{
"gid": "OFA-RULE-GID-XXXXXX",
"ip": "XXX.YYY.ZZZ.WWW",
"ts": 1684015144,
"entry_ts": 1683928684,
"is_network": false,
"ip_info": {
"as_domain": "cloudflare.com",
"as_name": "Cloudflare, Inc.",
"asn": "AS13335",
"continent": "NA",
"continent_name": "North America",
"country": "US",
"country_name": "United States"
},
"score": 34,
"info": {
"members": 1,
"events": 1,
"sources": [
"sshlog"
],
"stix_bundles": [],
"attack_infos": [],
"notes": [
"May 12 23:47:55 OFA-SRV2 sshd[12317]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.YYY.ZZZ.WWW user=root"
]
},
"elk_ts": "2023-05-13T21:59:04.000Z",
"elk_entry_ts": "2023-05-12T21:58:04.000Z",
"delay": 0,
"dec": 8.3e-7
}
]
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "ipv4",
"description": "A single IPv4",
"schema": {
"type": "string"
},
"required": true
}
]
},
"/domains/{domain_name}": {
"get": {
"summary": "Scan Domain",
"description": "Retrieve metadata for over a million known malicious domains.",
"operationId": "Scan Domain",
"tags": [
"Domain Feeds"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"domain": "ukfoyr.com",
"score": 88,
"ts": 1693526732,
"total_reports": 1,
"total_members": 1,
"tags": [
"CTA",
"OneFirewall"
],
"elk_ts": "2023-09-01T00:05:32.000Z",
"elk_entry_ts": "2023-09-01T00:05:32.000Z",
"entry_ts": 1693526732
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "domain_name",
"description": "Domain name you wishing to gain information (must be valid format)",
"schema": {
"type": "string"
},
"required": true
}
],
"put": {
"summary": "Overwrite Decision",
"description": "This API is used to change / overwrite the decision based on score, in other words setting manually a IoC in whitelist or blacklist.",
"operationId": "Domain",
"tags": [
"Domain Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"decision": {
"type": "integer",
"description": "0 for whitelist, 1 for blacklist, -1 (default) for based on score (not overwrite)",
"exclusiveMinimum": true,
"minimum": -2,
"exclusiveMaximum": true,
"maximum": 2,
"default": -1
}
},
"required": [
"decision"
]
}
}
}
},
"responses": {
"200": {
"description": "",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/domains/score/{min_score}": {
"get": {
"summary": "Domains by Score",
"description": "Retrieve a list of malicious domains",
"operationId": "Domains by Score",
"tags": [
"Domain Feeds"
],
"parameters": [
{
"in": "query",
"name": "format",
"description": "CSV=the output is CSV, LIST=the output is a list of digest separated by ‘,’",
"schema": {
"type": "string",
"default": "CSV",
"enum": [
"CSV",
"LIST"
]
}
},
{
"in": "query",
"name": "page",
"description": "A cursor that indicates the next page ID to access the next batch of data",
"schema": {
"type": "string"
}
},
{
"in": "query",
"name": "protocol",
"description": "SHA256,SHA1 or MD5 (String)\t",
"schema": {
"type": "string",
"enum": [
"HTTP",
"HTTPS"
]
},
"required": true
}
],
"responses": {
"200": {
"description": "If the response header contains a variable with name next_page, use the value with the new request on the API in order to retreive the next batch of data for the same Score. If the header is not presented, means there no more data to return.\n\n\n",
"headers": {},
"content": {
"text/html": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "domain1.xyz\ndomain2.xyz\n..."
}
}
}
}
},
"400": {
"content": {},
"headers": {},
"description": "The request was malformed (body contains further explanations)"
},
"402": {
"description": "Not enough OneFirewall Coins to perform the request",
"content": {},
"headers": {}
},
"403": {
"description": "The request not authorized (body contains further explanations)",
"content": {},
"headers": {}
},
"404": {
"description": "The requested digest was not found",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "min_score",
"description": "Minimum WCF Crime Score Feeds",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"exclusiveMaximum": true,
"minimum": 1,
"maximum": 1000
},
"required": true
}
]
},
"/domains": {
"get": {
"summary": "Domains by TS",
"description": "Retrieve the latest malicious domains recorded",
"operationId": "Domains by TS",
"tags": [
"Domain Feeds"
],
"parameters": [
{
"in": "query",
"name": "ts",
"description": "Latest updates starting from this timestamp",
"schema": {
"type": "number"
},
"required": true
},
{
"in": "query",
"name": "page_size",
"description": "Maximum size to return",
"schema": {
"type": "number",
"default": 101,
"exclusiveMinimum": true,
"minimum": 100,
"exclusiveMaximum": true,
"maximum": 2000
},
"required": false
}
],
"responses": {
"200": {
"description": "The request was received and processed successfully",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"header": {
"type": "Domain",
"version": 4,
"ts": 1693519200,
"next_ts": 1693526758,
"page_size": 100,
"user": {
"guid": "OFA-GUID-DSDG-FDFG-XJDO",
"name": "Name",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-sdgdfgdfd",
"name": "Org1",
"trust": 0.85,
"delay": "0",
"credit_tokens": 2000000000,
"debit_tokens": 1888975
}
}
},
"body": [
{
"domain": "ukfoyr.com",
"score": 88,
"ts": 1693526732,
"total_reports": 1,
"total_members": 1,
"tags": [
"CTA",
"OneFirewall"
],
"elk_ts": "2023-09-01T00:05:32.000Z",
"elk_entry_ts": "2023-09-01T00:05:32.000Z",
"entry_ts": 1693526732
},
{
"domain": "vewuio.com",
"score": 88,
"ts": 1693526732,
"total_reports": 1,
"total_members": 1,
"tags": [
"CTA",
"OneFirewall"
],
"elk_ts": "2023-09-01T00:05:32.000Z",
"elk_entry_ts": "2023-09-01T00:05:32.000Z",
"entry_ts": 1693526732
}
]
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"post": {
"summary": "Report Domain",
"description": "Enable users to report domains suspected of serving malware, viruses, or trojans.",
"operationId": "Report Domain",
"tags": [
"Domain Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"confidence": {
"type": "number",
"description": "Confidence level on the malicious capabilities of the domain",
"default": 1
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true,
"minItems": 1,
"maxItems": 10
},
"domain": {
"type": "string",
"description": "Domain name"
}
},
"required": [
"confidence",
"file_type",
"domain"
]
}
}
}
},
"responses": {
"200": {
"description": "The request was received and processed successfully, no body content\n",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": []
},
"/urls/{url}": {
"get": {
"summary": "Scan URL",
"description": "Retrieve metadata for over a million known malicious feeds.",
"operationId": "Scan URL",
"tags": [
"URL Feeds"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"url": "http://www.almaservice.it",
"score": 54,
"ts": 1695896501,
"total_reports": 1,
"total_members": 1,
"tags": [
"MARAVENTO",
"OneFirewall"
],
"elk_ts": "2023-09-28T10:21:41.000Z",
"elk_entry_ts": "2023-09-28T10:21:41.000Z",
"entry_ts": 1695896501
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "url",
"description": "URL you wishing to gain information (must be valid format and URL Encoded)",
"schema": {
"type": "string"
},
"required": true
}
],
"put": {
"summary": "Overwrite Decision",
"description": "This API is used to change / overwrite the decision based on score, in other words setting manually a IoC in whitelist or blacklist.",
"operationId": "Overwrite Decision URL",
"tags": [
"URL Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"decision": {
"type": "integer",
"description": "0 for whitelist, 1 for blacklist, -1 (default) for based on score (not overwrite)",
"exclusiveMinimum": true,
"minimum": -2,
"exclusiveMaximum": true,
"maximum": 2,
"default": -1
}
},
"required": [
"decision"
]
}
}
}
},
"responses": {
"200": {
"description": "",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
}
},
"/urls/score/{min_score}": {
"get": {
"summary": "URLs by Score",
"description": "Retrieve a list of malicious urls",
"operationId": "URLs by Score",
"tags": [
"URL Feeds"
],
"parameters": [
{
"in": "query",
"name": "format",
"description": "CSV=the output is CSV, LIST=the output is a list of digest separated by ‘,’",
"schema": {
"type": "string",
"default": "CSV",
"enum": [
"CSV",
"LIST"
]
}
},
{
"in": "query",
"name": "page",
"description": "A cursor that indicates the next page ID to access the next batch of data",
"schema": {
"type": "string"
}
}
],
"responses": {
"200": {
"description": "If the response header contains a variable with name next_page, use the value with the new request on the API in order to retreive the next batch of data for the same Score. If the header is not presented, means there no more data to return.\n\n\n",
"headers": {},
"content": {
"text/html": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": "URL1\nURL2\n..."
}
}
}
}
},
"400": {
"content": {},
"headers": {},
"description": "The request was malformed (body contains further explanations)"
},
"402": {
"description": "Not enough OneFirewall Coins to perform the request",
"content": {},
"headers": {}
},
"403": {
"description": "The request not authorized (body contains further explanations)",
"content": {},
"headers": {}
},
"404": {
"description": "The requested digest was not found",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": [
{
"in": "path",
"name": "min_score",
"description": "Minimum WCF Crime Score Feeds",
"schema": {
"type": "number",
"exclusiveMinimum": true,
"exclusiveMaximum": true,
"minimum": 1,
"maximum": 1000
},
"required": true
}
]
},
"/urls": {
"get": {
"summary": "URLs by TS",
"description": "Retrieve the latest malicious url recorded",
"operationId": "URLs by TS",
"tags": [
"URL Feeds"
],
"parameters": [
{
"in": "query",
"name": "ts",
"description": "Latest updates starting from this timestamp",
"schema": {
"type": "number"
},
"required": true
},
{
"in": "query",
"name": "page_size",
"description": "Maximum size to return",
"schema": {
"type": "number",
"default": 101,
"exclusiveMinimum": true,
"minimum": 100,
"exclusiveMaximum": true,
"maximum": 2000
},
"required": false
}
],
"responses": {
"200": {
"description": "The request was received and processed successfully",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"header": {
"type": "URL",
"version": 4,
"ts": 1693519200,
"next_ts": 1695919395,
"page_size": 100,
"user": {
"guid": "OFA-GUID-3256-FDGS-OODP",
"name": "Name",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-jkbjhvhjg",
"name": "Org1",
"trust": 0.85,
"delay": "0",
"credit_tokens": 2000000000,
"debit_tokens": 1888963
}
}
},
"body": [
{
"url": "http://www.almaservice.it",
"score": 54,
"ts": 1695896501,
"total_reports": 1,
"total_members": 1,
"tags": [
"MARAVENTO",
"OneFirewall"
],
"elk_ts": "2023-09-28T10:21:41.000Z",
"elk_entry_ts": "2023-09-28T10:21:41.000Z",
"entry_ts": 1695896501
},
{
"url": "http://www.gothamserver.net",
"score": 54,
"ts": 1695898867,
"total_reports": 1,
"total_members": 1,
"tags": [
"MARAVENTO",
"OneFirewall"
],
"elk_ts": "2023-09-28T11:01:07.000Z",
"elk_entry_ts": "2023-09-28T11:01:07.000Z",
"entry_ts": 1695898867
}
]
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
]
},
"post": {
"summary": "Report URL",
"description": "Enable users to report url suspected of serving malware, viruses, or trojans.",
"operationId": "Report URL",
"tags": [
"URL Feeds"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"confidence": {
"type": "number",
"description": "Confidence from 0.0 to 1.0",
"default": 1
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"uniqueItems": true,
"minItems": 1,
"maxItems": 10
},
"url": {
"type": "string",
"description": "Confidence level on the malicious capabilities of the url"
}
},
"required": [
"confidence",
"file_type",
"url"
]
}
}
}
},
"responses": {
"200": {
"description": "The request was received and processed successfully, no body content\n",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
]
},
"parameters": []
},
"/vpn/{vid}": {
"get": {
"description": "Get Information and Installation instruction of a given VPN License ID",
"operationId": "Get VPN ID",
"tags": [
"Secure VPN"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": {
"vid": "OFA-VID-LIC-XXXXXX",
"account_name": "Test",
"notes": "",
"ts": 1720917876,
"user": {
"guid": "OFA-GUID-2091-4193-9813",
"name": "Name",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-XXXXXXX",
"name": "OneFirewall Alliance LTD",
"trust": 0.85,
"delay": "0",
"credit_tokens": 20003000,
"debit_tokens": 2597036,
"is_public": 0
}
},
"mgid": "OFA-GID-XXXXXXXXX",
"exist": true
}
}
}
}
}
}
},
"security": [
{
"Authorization": []
}
],
"summary": "Get VPN ID"
},
"delete": {
"description": "Deactivate a given VPN License ID",
"operationId": "Delete VPN ID",
"tags": [
"Secure VPN"
],
"parameters": [],
"responses": {
"200": {
"description": "",
"content": {},
"headers": {}
}
},
"security": [
{
"Authorization": []
}
],
"summary": "Delete VPN ID"
},
"parameters": [
{
"in": "path",
"name": "vid",
"description": "VPN ID (Starts with OFA-VID-LIC prefix)",
"schema": {
"type": "string"
},
"required": true
}
]
},
"/vpn": {
"get": {
"summary": "Get all",
"description": "Use this method to get an array of active VPN for your organization",
"operationId": "Get all Active VPN for your Organization",
"tags": [
"Secure VPN"
],
"parameters": [],
"security": [
{
"Authorization": []
}
],
"responses": {
"200": {
"description": "",
"headers": {},
"content": {
"application/json": {
"schema": {
"type": "string"
},
"examples": {
"example1": {
"value": [
{
"vid": "OFA-VID-LIC-XXXX",
"account_name": "Test",
"notes": "",
"ts": 1720950949,
"user": {
"guid": "OFA-GUID-2091-4193-9813",
"name": "Name",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-XXXXXX",
"name": "OneFirewall Alliance LTD",
"trust": 0.85,
"delay": "0",
"credit_tokens": 20003000,
"debit_tokens": 2597241,
"is_public": 0
}
},
"mgid": "OFA-GID-XXXXX",
"exist": true
},
{
"vid": "OFA-VID-LIC-XXXXX",
"account_name": "ds",
"notes": "",
"ts": 1720954197,
"user": {
"guid": "OFA-GUID-2091-4193-9813",
"name": "Name",
"surname": "Surname",
"username": "[email protected]",
"role": 0,
"unsuccessful_login": 0,
"member_of": {
"gid": "OFA-GID-XXXXX",
"name": "OneFirewall Alliance LTD",
"trust": 0.85,
"delay": "0",
"credit_tokens": 20003000,
"debit_tokens": 2597277,
"is_public": 0
}
},
"mgid": "OFA-GID-XXXXX",
"exist": true
}
]
}
}
}
}
}
}
},
"post": {
"summary": "Create",
"description": "Create a new VPN License",
"operationId": "Create a new VPN License for your Organization",
"tags": [
"Secure VPN"
],
"parameters": [],
"requestBody": {
"content": {
"application/json": {
"schema": {
"type": "object",
"properties": {
"account_name": {
"type": "string",
"description": "Account name (mandatory)"
},
"notes": {
"type": "string",
"description": "Addition notes"
}
},
"required": [
"account_name"
]
}
}
}
},
"security": [
{
"Authorization": []
}
],
"responses": {
"200": {
"description": "",
"content": {},
"headers": {}
}
}
}
}
},
"components": {
"schemas": {},
"securitySchemes": {
"Authorization": {
"type": "apiKey",
"in": "header",
"description": "Authorization Token",
"name": "Authorization"
}
},
"headers": {},
"responses": {}
},
"security": []
}